computer crimes and intellectual - welcome to the united states

Computer Crimesand Intellectual

PropertyDeciding Whether to Prosecute an Intellectual Property Case 1

By David Goldstone

Recognizing and Meeting Title III Concerns in ComputerInvestigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

By Robert Strang

Identity Theft: The Crime of the New Millennium . . . . . . . . 14By Sean B. Hoar

Computer Records and the Federal Rules of Evidence . . . . 25By Orin S. Kerr

Gambling Against Enforcement— Internet Sports Books and theWireWager Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

By Joseph V. DeMarco

Working with Victims of Computer Netword Hacks . . . . . . 38By Richard P. Salgado

Supervised Release and Probation Restrictions in Hacker Cases43By Christopher M.E. Painter

March 2001Volume 49Number 2

United StatesDepartment of JusticeExecutive Office for

United States AttorneysOffice of Legal Education

Washington, DC20535

Mark T. CallowayDirector

Contributors’ opinions andstatements should not beconsidered an endorsementby EOUSA for any policy,

program, or service

The United States Attorneys’Bulletin is published pursuant

to 28 CFR § 0.22(b)

The United States Attorneys’Bulletin is published bi-

monthly by the ExecutiveOffice for United States

Attorneys, Office of LegalEducation, 1620 PendletonStreet, Columbia, South

Carolina 29201. Periodicalpostage paid at Washington,D.C. Postmaster: Send

address changes to Editor,United States Attorneys’Bulletin, Office of Legal

Education, 1620 PendletonStreet, Columbia, South

Carolina 29201

Managing EditorJim Donovan

Assistant EditorNancy Bowman

Law ClerkTodd Hagins

Internet Addresswww.usdoj.gov/usao/

eousa/foia/foiamanuals.html

Send article submissions toManaging Editor, UnitedStates Attorneys’ Bulletin,National Advocacy Center Office of Legal Education1620 Pendleton StreetColumbia, SC 29201

In This Issue

MARCH 2001 UNITED STATES ATTORNEYS' BULLETIN 1

Deciding Whether to Prosecute anIntellectual Property CaseDavid GoldstoneTrial Attorney, Computer Crime andIntellectual Property SectionTeam Leader, Intellectual Property Team

Federal prosecutors know that decidingwhether to prosecute a particular case requires theexercise of judgment and discretion, which cantake years of experience to develop. But what ifyou are presented with an intellectual property(“IP”) case and you have not done many of thembefore, if any? How should you decide whether aparticular case of counterfeit computer chips,pirated music or software sold (or given away forfree) over the Internet, or stolen satellite signalsshould be charged, even if an investigatorprovides evidence to prove all the elements? Whatspecial considerations, if any, come into play?

Even experienced federal prosecutors shouldreconsider first principles in evaluating the meritsof an IP case, because of a few characteristics ofsuch cases, including:

! IP crime always has a direct victim (the IPholder) and undermines the IP system as awhole (like counterfeiting of money), inaddition to any fraud perpetrated on therecipient of the counterfeit good or piratedwork;

! Because IP crime can be perpetratedwithout any direct contact with the victimIP holder (such as counterfeiting goodswithout asking the permission of thetrademark holder), the direct victim of IPcrime is basically defenseless against IPtheft;

! IP rights, such as trademark andcopyright, are in part created by federallaw and administered by federal agenciesand are thus of special federal interest;

! Effective enforcement of IP laws isessential to the foundation of the growinginformation economy; and

! The May 2000 revision to the SentencingGuidelines more accurately recognizes theloss caused by IP crime.

The recently published manual, ComputerCrime and Intellectual Property Section,Department of Justice, Prosecuting IntellectualProperty Crimes (2001), can be a valuableresource for evaluating these, as well as the otherissues that arise in IP cases. Generally, federalprosecutors should take into account the same considerations in determining whether to chargean IP crime as they would with respect to allfederal crimes. See, e.g., U.S. Attorneys’Manual § 9-27.220. Thus, the prosecutors shouldevaluate all the considerations normally associatedwith the sound exercise of prosecutorialdiscretion. In exercising this discretion, U.S.Attorneys’ Manual § 9-27.220 notes threesituations in which the prosecutor may properlydecline to take action despite having admissibleevidence sufficient to obtain and sustain aconviction for a federal crime: "when nosubstantial federal interest would be served byprosecution;" when [t]he person is subject toeffective prosecution in another jurisdiction; "orwhen [t]here exists an adequate non-criminalalternative to prosecution." While individual U.S.Attorney’s Offices may evaluate these factorswith different standards, each of these grounds isdiscussed below with particular attention paid toIP crimes. Also, special considerations may arisewhen considering IP charges against corporations.See Prosecuting Intellectual Property Crimes§ VI.A.4 (2001).

1. The Federal Interest in IP Crimes

In determining the substantiality of the federalinterest that would be served by a prosecution, theattorney for the government should weigh allrelevant considerations, including:

2 UNITED STATES ATTORNEYS' BULLETIN MARCH 2001

(1) [current] federal law enforcementpriorities; (2) the nature and seriousness of theoffense; (3) the deterrent effect ofprosecution; (4) the person’s culpability inconnection with the offense; (5) the person’shistory with respect to criminal activity; (6)the person’s willingness to cooperate in theinvestigation or prosecution of others; and (7)the probable sentence or other consequencesif the person is convicted.

U.S. Attorneys’ Manual § 9-27.230.

All of these factors will be discussed belowwith specific attention to IP crimes. The last factor– the probable sentence – is especially noteworthyin light of the May 2000 revision to sentencingguideline § 2B5.3 to more accurately reflect theloss caused by IP crime. This new provision willbe discussed in detail below.

a. Federal Law Enforcement Priorities

The importance of IP to the nationaleconomy, and the scale of IP theft, led theDepartment of Justice to designate IP crime as a“priority” for federal law enforcement. As theU.S. Attorneys’ Manual recognizes, “from time totime the Department establishes nationalinvestigative and prosecutorial priorities. Thesepriorities are designed to focus Federal lawenforcement efforts on those matters within theFederal jurisdiction that are most deserving ofFederal attention and are most likely to be handledeffectively at the Federal level.” U.S. Attorneys’Manual § 9-27.230(B)(1) (cmt).

IP crimes were formally designated a“priority” by Deputy Attorney General EricHolder on July 23, 1999. Deputy AttorneyGeneral Eric Holder, Remarks at PressConference Announcing the Intellectual PropertyRights Initiative (Jul. 23, 1999) available at(http://www.cybercrime.gov/dagipini.html). Inannouncing the Intellectual Property RightsInitiative, Deputy Attorney General Holder statedthat the Department of Justice, the Federal Bureauof Investigation and the United States CustomsService had concluded that they must makeinvestigating and prosecuting IP crime “a majorlaw enforcement priority.” In making theannouncement, he noted the following:

As the world moves from the Industrial Ageto the Information Age, the United States’economy is increasingly dependent on theproduction and distribution of intellectualproperty. Currently, the U.S. leads the worldin the creation and export of intellectualproperty and IP-related products.

Deputy Attorney General Holder also observedthat “[a]t the same time that our informationeconomy is soaring, so is intellectual propertytheft.” Since IP theft undermines the federallyestablished copyright and trademark systems, it isespecially appropriate that investigation andprosecution of these crimes be a federal lawenforcement priority.

The IP Initiative is aimed at combating thegrowing wave of piracy and counterfeitingoffenses, both domestically and internationally,with the participation of U.S. Attorney’s offices inNew York, New Jersey, California, Florida andMassachusetts. The initiative has focused ontraining activities, improved coordination amonglaw enforcement agencies, increased cooperationwith industry, and highlighting IP internationally.In September, 2000 following the first-evermeeting of law enforcement experts from G-8countries, a group of leading industrializednations, to discuss trends in trafficking incounterfeit and pirated merchandise, it was agreedto address trends in trans-border IP crime.

In recent years, Congress has taken anespecially strong interest in IP crimes as well as IPlaw generally. Congress has recently enactedstiffer penalties for IP crimes, and has made manyIP crimes a predicate offense under the moneylaundering and RICO statutes. Moreover,Congress took the unprecedented step of singlingout IP crimes for detailed accounting in theAttorney General’s Annual AccountabilityReport. In enacting the AnticounterfeitingConsumer Protection Act of 1996, Pub. L. No.104-153, 110 Stat. 1386, Congress required theAttorney General to include in the annual report,on a district-by-district basis, the following fourcriteria: (1) the number of open investigations; (2)the number of cases referred by the United StatesCustoms Service; (3) the number of cases referredby other agencies or sources; and (4) the number


and outcome, including settlements, sentences,recoveries, and penalties, of all prosecutionsbrought under sections 2318, 2319, 2319A, and2320 of Title 18.

The federal interest in IP is no recent ortransitory development. It has been recognizedsince the ratification of the Constitution. See U.S.Const. art. I, § 8, cl. 8. Longtime Congressionalinterest in providing a sound federal basis for IPlaw is further demonstrated by two comprehensivebodies of statutes: the Copyright Act of 1976(codified as amended at Title 17); and the LanhamAct (codified as amended at 15 U.S.C. §§ 1051-1127). In fact, the Copyright Act in 1976established federal preemption over state lawbecause of the importance of a uniform federalcopyright law. See 17 U.S.C. § 301.

b. The Nature and Seriousness of theOffense

IP crimes, like other crimes, vary in theirnature and seriousness and it is therefore essentialto consider each case on its own facts. Limitedfederal resources should not be diverted toprosecute inconsequential cases or cases in whichthe violation is only technical. Prosecutors mayconsider any number of factors to determine theseriousness of an IP crime, including:

1. Whether the counterfeit goods or servicespresent potential health or safety issues(e.g., counterfeit medications or airplaneparts);

2. The scope of the infringing orcounterfeiting activities (e.g., whether thesubject infringes or traffics in multipleitems or the infringes upon multipleindustries or victims), as well as thevolume of infringing items manufacturedor distributed;

3. The scale of the infringing orcounterfeiting activities (e.g., the amountof illegitimate revenue and anyidentifiable illegitimate profit arising fromthe infringing or counterfeiting activitiesbased upon the retail value of theinfringed item);

4. The number of participants and theinvolvement of any organized criminalgroup;

5. The scale of the victim’s loss or potentialloss, including the value of the infringeditem, the size of the market for theinfringed IP that is being undermined(e.g., a best-selling software package or afamous trademark), and the impact of theinfringement on that market;

6. Whether the victim or victims tookreasonable measures (if any) to protectagainst the crime; and

7. Whether the purchasers of the infringingitems were victims of a fraudulentscheme, or whether there is a reasonablelikelihood of consumer mistake as a resultof the subject’s actions.

c. The Deterrent Effect of Prosecution

Deterrence of criminal conduct is one of theprimary goals of the criminal law. Experiencedemonstrates that many infringers will not bedeterred by civil liability, which can be treated asa cost of doing business. For example, even whena permanent injunction or consent decree is inforce, they do not necessarily deter somedefendants. Some defendants may respond to suchcivil remedies by changing the item upon whichthey are infringing, such as counterfeiting shirtsbearing marks of Major League Baseball teamsafter being the subject of an injunction obtainedby the National Football League. Others closeshop only to quickly reopen under a differentcorporate identity. Criminal prosecution can betterdeter a violator from repeating his or her crime.

Criminal prosecution of IP crimes is alsoimportant for general deterrence. Manyindividuals may commit intellectual propertycrimes not only because they can be relativelyeasy to commit (such as copying music) but alsobecause the subjects believe they will not beprosecuted. Criminal prosecution plays animportant role in establishing public expectationsof right and wrong. Even relatively small scaleviolations, if permitted to take place openly andnotoriously, can lead other people to believe thatsuch conduct is tolerated in American society.


While some cases of counterfeiting or piracy maynot result in provable direct loss to the holder ofthe IP right, the widespread commission of IPcrimes with impunity can be devastating to thevalue of such rights. The importance of generaldeterrence is easily understood with regard tocounterfeiting of United States currency. Eventhough some counterfeit bills can be “passed”without any harm to the monetary system of theUnited States, widespread commission ofcounterfeiting would be devastating to the valueof the dollar. Today’s brands have currency onlyto the extent that anticounterfeiting laws areenforced.

Vigorous prosecutions can change thecounterfeiter’s calculus. If individuals believe thatcounterfeiters will be investigated and prosecuted,they will be deterred. Industry groups representingvictims of IP crimes are acutely aware of theirneed for law enforcement protection for IP. Thesevictims will vigorously publicize successfulprosecutions. The resulting public awareness ofeffective prosecutions can have a substantialdeterrence effect.

d. The Individual’s Culpability inConnection with the Offense

IP crimes are often committed by multipleindividuals working in concert, such as a companythat traffics in counterfeit goods or piratedsoftware. See Prosecuting Intellectual PropertyCrimes § VI.A.4 (2001) (discussing specialconsiderations for cases involving corporations).The individuals in such an organization are notnecessarily equally culpable. For example, aprosecutor may reasonably conclude that somecourse other than prosecution would beappropriate for a relatively minor participant. Inconsidering the relative culpability of specificindividuals within a group of people who commitIP crimes in concert, a number of non-exclusivefactors have proven helpful, including: (1)whether the person had oversight responsibilityfor others; (2) whether the person specificallydirected others to commit the offense; (3) whetherthe person profited from the offense; (4) whetherthe person was specifically aware of the wrongfulnature of the activity, as evidenced by the receiptof a warning such as a “cease and desist” letter or

by a statement to collaborators admittingwrongfulness, but nonetheless continued toengage in the activity; and (5) whether the persontook affirmative steps, such as creating misleadingrecords, to deter investigation, and therebyfacilitate commission of the offense. Other factorsmay also be relevant in particular cases.

e. The Individual’s History with Respect toCriminal Activity

The subject’s history with respect to criminalactivity will of course be extremely factdependent. Experience with IP crime casesteaches that defendants often have a history ofengaging in a pattern of fraudulent conduct notnecessarily limited to IP crimes. It should not beassumed that commission of an IP crime is anexception to an otherwise law-abiding life. It isappropriate to consider whether there is areasonable basis to believe that the person hasengaged in previous IP violations. A prosecutor,an investigator or a victim may be aware of apermanent injunction or consent decree in anycivil case against the defendant.

f. The Individual’s Willingness toCooperate in the Investigation or Prosecutionof Others

A defendant’s willingness to cooperate willdepend on the individual. Nevertheless, it isimportant to recognize that in IP cases, defendantsoften have a substantial capacity for cooperation,if they are, in fact, willing. Since IP crimes oftenrequire special materials, equipment, orinformation, and can involve multipleparticipants, defendants often can providesubstantial assistance. This cooperation can take atleast three forms. Most commonly, a defendantmight cooperate in the investigation orprosecution of others directly involved in thesame criminal scheme.

Second, a defendant might also providevaluable cooperation concerning the source ordestination of counterfeit goods or pirated works.For example, if a defendant is investigated forselling counterfeit watches on a retail basis, hecould provide information as to the wholesaler ofthose counterfeit watches. The wholesaler, in turn,


could provide information regarding themanufacturer, or about other retailers.

Third, a defendant might also provideinformation concerning the trafficking ofcounterfeit packaging materials in whichcounterfeit goods may be sold. This information iseasy to overlook since the price of the packagingmay be relatively low in comparison to the priceof the goods, particularly for high-technologyitems. However, such information can beinvaluable. For example, a defendant accused oftrafficking 2,000 counterfeit computer chips for$200 each for a total of $400,000 may also havesold 10,000 counterfeit boxes for that same kindof chip at three dollars each for a total of $30,000.Though the $30,000 in box sales may seem like asmall part of a $400,000 case, it can provide animportant lead concerning the purchaser of thecounterfeit boxes. Since the boxes serve no otherpurpose than to facilitate the trafficking incounterfeit goods, a reasonable inference is thatthe box purchaser may also be trafficking in thecounterfeit chips. Therefore, what was a simple$30,000 worth of boxes could lead to $2 millionworth of counterfeit chips.

g. The Probable Sentence or OtherConsequences if the Person is Convicted

The consequences that may be imposed if anIP prosecution is successful includeimprisonment, restitution, and forfeiture. InProsecuting Intellectual Property Crimes, thesentencing provisions are discussed at § VII.A,whereas restitution (which is generally mandatoryin IP cases) is discussed at § VII.B and forfeiture(which is generally available in IP cases) isdiscussed at § VII.C. The probable sentence isworthy of attention in light of the May 2000revision to sentencing guideline § 2B5.3 (which isthe relevant guideline for most IP crimes) to moreaccurately reflect the loss caused by IP crime.

Under revised guideline § 2B5.3, the baseoffense level is 8. This level is increased byreference to the “fraud table” at § 2F1.1 with acalculation where “loss” is based on the“infringement amount.” It is important tounderstand that the “infringement amount” iscalculated, in many IP cases, based on the retailvalue of the infringed (legitimate) item multiplied

by the number of infringing items. Thiscalculation can profoundly affect the sentence inan IP case.

For example, if a defendant sold, for fivedollars each, 100 pirated CDs each containing 20pirated software programs worth one hundreddollars each, that defendant may have profitedonly $500. Nevertheless, for sentencing purposesin such a case, the loss would probably bemeasured by the value of the intellectual propertyinfringed upon by the defendant, which is $2,000per CD for a total of $200,000.

Since the new sentencing guidelines nowrecognize in many IP cases that the value of thelegitimate property is the proper basis for a losscalculation, prosecutors should be aware of thisvalue in deciding whether to proceed with an IPcase. Other important factors that can affect theoffense level by 2 points each, are:

1.Whether the offense involved themanufacture, importation, or uploading ofinfringing items;

2. Whether the offense was not committed forcommercial advantage or private financial gain;

3. Whether the offense involved (a) theconscious or reckless risk of serious bodily injury;or (b) possession of a dangerous weapon(including a firearm) in connection with theoffense; or

4. Whether the offender took steps tocircumvent encryption or other security measuresin order to gain initial access to the infringed item.

Other factors that the Sentencing Commission hasspecifically recognized as possible grounds for anupward departure in an IP case under sentencingguideline § 2B5.3 are:

1. If the reputation of the trademark orcopyright owner was substantially harmed bythe offense in a way that is not accounted forin the monetary calculation; or

2. If the offense was in connection with or infurtherance of a national or internationalorganized criminal enterprise.


2. Whether the Person is Subject toProsecution in Another Jurisdiction

The second situation noted by the U.S.Attorneys’ Manual § 9-27.220 in which theprosecutor may properly decline to take actiondespite having sufficient admissible evidenceoccurs when the person is subject to effectiveprosecution in another jurisdiction. In IP cases, asin other cases, “[a]lthough there may be instancesin which a Federal prosecutor may wish toconsider deferring to prosecution in anotherFederal district, in most instances the choice willprobably be between Federal prosecution andprosecution by state or local authorities.” U.S.Attorneys’ Manual § 9-27.240 (cmt). Indetermining whether prosecution should bedeclined because the person is subject to effectiveprosecution in another jurisdiction, prosecutorsshould weigh all relevant considerations,including: (1) the strength of the otherjurisdiction’s interest in prosecution; (2) [t]heother jurisdiction’s ability and willingness toprosecute effectively; and (3) [t]he probablesentence or other consequences if the person isconvicted in the other jurisdiction. U.S. Attorneys’Manual § 9-27.240. See United States v. Coffee,113 F. Supp.2d 751 (E.D. Pa. 2000) (grantingdefendants’ motion to transfer venue on the basisof the convenience of the parties and witnessesand the interests of justice where the impecuniousdefendants’ home and the alleged criminaloperations were in Dayton, Ohio and only five offifty-seven proposed government witnesses werein Philadelphia, where an undercover operationhad purchased counterfeit airplane parts).

IP cases represent a rare species where aprosecutor arguably may not be able to defer to aprosecution in the location of the primary victim.For example, a individual in one state may trafficin counterfeit sports wear bearing thecounterfeited mark of a sports team located in asecond state, and he might do so without everphysically entering that second state. Because ofthe defendant’s constitutional and statutory rightto be tried in the state and district in which theircrime was “committed,” U.S. Const. art. III § 2 cl.3; U.S. Const. amend. 6; 18 U.S.C. § 3237, aprosecutor based in that second state— the homestate of the victim— arguably may not have proper

venue over the counterfeiter unless he or she canshow that the “locus delecti” of the counterfeitingtook place in the second state. This determination must be made “from the nature of the crimealleged and the location of the act or actsconstituting it.” United States v. Rodriguez-Moreno, 526 U.S. 275, 280 (1999).

Although this subject has not been vigorouslylitigated in the criminal infringement context,ordinarily the analysis turns on the locations of theactions of the defendant, rather than the districtwhere the harm is felt. For example, inUnited States v. DeFreitas, 92 F. Supp.2d 272,276-77 (S.D.N.Y. 2000), the district court foundNew York venue proper in a case under 18U.S.C. § 2320 where the counterfeit BeanieBabies were shipped from China to Canada,trucked to New York and then to New Jerseybecause “the very nature of the offense of‘trafficking’ contemplates a continuing offense,one which begins with obtaining control over thecounterfeit goods, continues with the transport,and ends with the transfer or disposal of suchgoods.” Cf. United States v. Muench, 153 F.3d1298, 1303 (1998) (finding venue for failure topay child support to be proper in Florida, wherevictim child lived, even though Texas was wherethe defendant lived and where his child supportchecks were due); United States v. Reed, 773 F.2d477, 483 (2d Cir. 1985) (considering factors suchas the site of the criminal acts, the elements andnature of the crime, the locus of its effects, and thesuitability of the various districts for accuratefactfinding and concluding that perjury in onedistrict in a proceeding ancillary to a proceedingin another district may be prosecuted in either).See generally Donna A. Balaguer, Venue, 30 Am.Crim. L. Rev. 1259 (1993).

Thus, in IP cases, it is common that thefederal prosecutor will be called upon to vindicatethe rights of a victim IP holder based in anotherdistrict, another state, or even another country.Prosecutors should therefore be cognizant that thedefendant may not be subject to prosecution in thevictim’s district, state or nation. Federalprosecutors should also recognize that local orstate authorities may not have a great interest inpunishing violations of the rights of out-of-statevictim IP holders. By contrast, ensuring uniform


and reliable national enforcement of the IP laws isan important goal of federal law enforcement.

This goal takes on added significance forfederal prosecutors when the victim is based in aforeign country because of the importance of IP inmodern international trade. With consistentenforcement of IP rights, America will continue toset an example of vigorous IP rights enforcementand to be perceived as hospitable to foreign firmsthat would register their IP and engage in businesshere.

Local and state authorities may also believethat since many IP rights are conferred by thefederal government, they do not have the ability toprosecute any IP crimes. There is a provision forfederal preemption for copyright infringement, 17U.S.C. § 301, although this preemption permitsprosecution for other kinds of crime.

Even if the local or state authorities express astrong interest in prosecution, they may not havethe ability or willingness to prosecute the caseeffectively. IP cases may not be a priority forsome state or local authorities. They may havelimited resources to devote to IP cases. Forexample, a particular office may not have space tostore the large inventory seized from thewarehouse of a counterfeiter. Some state or localauthorities may not be interested in vindicatingthe IP rights of a distant victim. For a furtherdiscussion of state and local authority to prosecuteIP crimes and a listing of state criminal IPstatutes, see Prosecuting Intellectual PropertyCrimes § VI.A.2 & App. D (2001).

3. The Adequacy of a Noncriminal Alternativein an IP Case

Prosecutors may consider the adequacy ofnoncriminal alternatives when addressing an IPcase. Some civil remedies, including ex parteseizure of a defendant’s infringing products andpunitive damages, may be available for certainviolations of copyright and trademark rights. 15U.S.C. § 1116(d) (trademark remedies); 17U.S.C. §§ 502-505 (copyright remedies). Also, forimporters of trademark-infringing merchandise,the Customs Service may assess civil penalties notgreater than the value that the merchandise wouldhave were it genuine, according to the

manufacturer’s suggested retail price for firstoffenders, and not greater than twice that value forrepeat offenders. These civil fines may beimposed in the U.S. Custom Service’s discretion,in addition to any other civil or criminal penaltyor other remedy authorized by law. 19U.S.C. § 1526(f). The availability and adequacyof these remedies should be carefully consideredwhen evaluating an IP case.

Yet civil remedies may be futile under variouscircumstances. For example, IP crimes areunusual because they generally are committedwithout the victim’s knowledge, even after thefact. The victim usually has no direct relationshipwith the infringer— before, during, or after thecommission of the crime. If a victim is unaware ofa violation by a particular defendant, civilremedies generally will be unavailing.Furthermore, without criminal sanction, infringersor counterfeiters might treat the rare case of thevictim’s civil enforcement of its rights as a cost ofdoing business.

Another important factor to consider whencontemplating civil remedies is that infringersmay be judgment proof. In most cases, theinfringer traffics in counterfeit items worth far lessthan the authentic ones. By the time lawenforcement identifies the unlawful activity, thevalue of the infringing items that the defendanthas distributed often far exceeds the funds towhich the defendant has access. This phenomenonis particularly common in software infringementcases, since an infringer can reproduce largenumbers of high quality copies with only minimalinvestment. In Internet and computer bulletinboard cases, a relatively modest expenditure in apersonal computer and a modem can result in thereproduction and distribution of hundreds or eventhousands of exact duplications of copyrightedworks. In such instances, a criminal sanction maybe the only meaningful deterrent.

There are a number of other circumstanceswhere existing civil remedies may simply be aninsufficient deterrent. For example, there may becases where there have been prior unsuccessfulefforts by a victim to enforce IP rights against thedefendant or the existence of circumstancespreventing such efforts. Criminal charges may


also be necessary if counterfeiting continuesdespite the entry of a permanent injunction orconsent decree in a civil case. As these scenariosillustrate, there are numerous situations wherecivil remedies may not deter the infringement,particularly where the defendant regards civilpenalties as a cost of doing business. Anotheroption to keep in mind in civil cases where thereis a “repeat infringer” is that the existence of acivil order may provide a basis for a petition to thecourt for contempt.

Finally, civil remedies may not fully capturethe wrongfulness of the defendant’s criminalconduct. Counterfeiting or infringement of IPthreatens the very integrity of the federal IPsystem, just as counterfeiting of currencyjeopardizes the currency system. A meaningfulthreat of criminal prosecution is necessary tosafeguard the public’s confidence in IP.

Conclusion

Because defendants in IP cases can haveseveral victims, including the IP holders, societyat large, and the recipients of the infringing goodsor works, and because reliable enforcement offederally created IP rights is so important to thegrowing information economy, federal

prosecutors should carefully consider whether toprosecute an IP case. Since the enactment in May2000 of the new sentencing guideline that moreaccurately reflects the loss caused by IP crime, thepunishment that can arise from a conviction isnow more appropriate to the crime. Prosecutorsshould be aware of these special characteristics ofIP cases when evaluating them against traditionalprinciples and exercising their prosecutorialdiscretion. Further guidance is available from therecently published manual, ProsecutingIntellectual Property Crimes (2001), or from theIP Team at the Computer Crime and IntellectualProperty Section (CCIPS) at (202) 514-1026.òABOUT THE AUTHOR

ëDavid Goldstone has been a Trial Attorney inthe Computer Crime and Intellectual PropertySection for four years. He is the Team Leader forthe Intellectual Property Team, and the primaryauthor and editor of Prosecuting IntellectualProperty Crimes (2001). Mr. Goldstone has beenan instructor at the National Advocacy Center andis an adjunct professor of cyberspace law at thelaw schools of Georgetown University andGeorge Washington University.a

Recognizing and Meeting Title III Concerns in Computer InvestigationsRobert StrangAssistant United States AttorneySouthern District of New York

The dramatic increase in crimes involving theInternet, and computer crimes more generally, iswell documented. The “2000 CSI/FBI ComputerCrime and Security Survey” documented that 90%of the 643 respondents (primarily large U.S.corporations and government agencies) detectedcomputer security breaches within the last twelvemonths, totaling hundreds of millions of dollars in

losses. In light of the increased criminalopportunities created by the ever-growing relianceon, and growing interconnectedness betweennetwork computers, there can be no doubt thatexperienced and sophisticated computer criminalspose a substantial challenge to law enforcement.

There has also been a corresponding increasein the difficulty in catching computer criminals.There are a number of reasons why this is so. Theanonymity provided by computer communicationshas long been recognized as one of the major


attractions to would-be computer criminalsubjects. This difficulty has been heightened bythe use and availability of so-called“anonymizers”, services that repackage electronicmail and thereby diminish the ability to trace it. Inaddition, many victims and Internet ServiceProviders (ISPs) fail to record, or preserve for asufficient length of time, historical logs and otherrecords that might otherwise lead to theidentification of subjects engaged in wrongdoing.Furthermore, the practice of jumping fromcompromised network to compromised network,including networks with servers located outside ofthe United States, can also make tracing thecommunications back to the initial subjectextremely difficult. This is especially true wheresubjects have made efforts to cover their tracks orwhere proof of criminal activity, or even theirfleeting presence, is lost before it can be secured.Finally, victims may be unaware of criminalactivity on their network or, if aware, slow orunwilling to report it due to competitive reasons.For these and other reasons, there are manycomputer crimes where it will be impossible forlaw enforcement to identify the perpetratorsinvolved. Therefore, exclusive reliance onhistorical investigations will allow criminalactivity carried out by more experienced andskillful criminals to go undetected and/orunpunished.

Issues Raised by Proactive Investigations

As a result of these limitations, lawenforcement is increasingly turning to proactiveinvestigations where undercover agents seek outthe individuals who are already engaging incomputer crimes — attempting to record, in real-time, computer criminals while they are involvedin the criminal act. The proactive approachbypasses some of the investigatory hurdles ofanonymity, lack of records, and under-reportinginherent in computer cases. It also has the addedbenefit of potentially stopping the criminal beforethe damage is done. Use of real-time monitoringof criminal activity is even advantageous in somehistorical investigations where a subject returnsto, or passes through the same victim’s network.As criminals are increasingly adept at avoidingleaving an historic trail, such investigations are

the next logical step for law enforcement (and onethat is increasingly being taken).

Such undercover operations and recording arealso feasible. The very expectation of anonymitythat benefits criminals also helps law enforcementundercover agents enter this world without beingscrutinized, as long as they can talk the talk.Agents can even use other undercover identities tovouch for themselves. From a technicalperspective, so-called “sniffer” computerprograms that are capable of recording allkeystroke activity on a particular computernetwork are a well-known and widely availabletool for system administrators, hackers, and lawenforcement alike.

These types of investigatory techniques oftenraise legal issues. One of the major issues raisedby real-time monitoring is compliance withfederal wiretapping statutes. This article focuseson the ability to legally and contemporaneouslyrecord and identify subjects, and to developadmissible evidence which is central to asuccessful investigation. Agents and otherinvestigators, some with only limited experiencein this area may turn to prosecutors with questionsregarding what they can and cannot do in theirefforts to use real-time monitoring of criminalsduring the course of undercover operations. It iscritical for prosecutors to be able to identifypotential legal issues relating to such recordingsby agents, in advance, before problems arise.

Since the current legal road map is largelywithout judicial markers, it is important to addresssome of the potential issues raised by theapplication of the privacy laws to real-timemonitoring, as well as some of the statutoryexceptions that may permit monitoring to takeplace absent a court order.

Application of Title III to “ElectronicCommunications”

In 1986, Congress passed the ElectronicCommunications Privacy Act (“ECPA”), which,among others things, extended the prohibitionscontained in Title III of the Omnibus Crime andControl and Safe Streets Act of 1968 (the“Wiretap Act”), 18 U.S.C. §§ 2510-2521, toelectronic communications that are intercepted


contemporaneously with their transmission— thatis electronic communications that are in transitbetween machines and which contain no aural(human voice) component. Thus, communicationsinvolving computers, faxes, and pagers (other than“tone-only” pagers) all enjoy the broadprotections provided by Title III unless one ormore of the statutory exceptions to Title IIIapplies. In the computer context, both thegovernment and third parties are prohibited frominstalling “sniffer” computer software, such as theFBI’s Carnivore program, to record keystroke andcomputer traffic of a specific target unless one ofthe exceptions is present.

Where the government is seeking to interceptand monitor all electronic communicationsoriginating from a target’s home or through the e-mail account at the target’s ISP, the application ofTitle III differs little from its historical applicationto telephone wiretaps. The issues agents andprosecutors are likely to encounter are typicallytechnical, not legal. This is particularly true whenlaw enforcement is dealing with ISPs who mayhave little or no experience in providing Title IIIassistance to law enforcement, have technical ormanpower difficulties in providing access to thesubject’s accounts, or show an overall reluctancein working with law enforcement.

Sometimes, however, the potential effect ofTitle III’s restrictions on computer lawenforcement can be unexpected. For example, if ahacker breaks into a victim’s computer, engagesin criminal activity, and uses it to store credit cardnumbers, common sense would suggest thesubject hacker enjoys no reasonable expectationof privacy. Perversely, however, the subjecthacker’s communications may enjoy statutoryprotection under Title III, and thus anyinterception of that illegal activity by a privateparty (including the victim) or law enforcementmust fall within one of the statutory exceptions inorder to monitor without a court order. In theabove example, the victim’s consent is likely to besufficient to fall within one of Title III’s statutoryexceptions.

This example, however, becomes moredifficult if the subject hacker simply uses thevictim’s computer as a jump point from which to

illegally hop to new downstream victims or tocommunicate with the hacker’s confederates, as isfrequently the case. Does a victim have a right tomonitor communications that are being made by asubject hacker who is trespassing on theircomputer, and is no longer seeking to damage it,but rather is passing through on his or her way tocommit more mischief? Does the governmentenjoy the same rights to monitor thatcommunication as the victim? How, if at all, doesthe analysis change when the government is theprimary victim of the hacking activity?

The analysis of these scenarios is currentlydependent on how courts interpret the breadth ofexisting statutory exceptions to Title III that werewritten to address the interception of simple, two-way telephone conversations. Thus, under currentlaw, a hacker, a trespasser on another party’scomputer network, an intruder who enjoys noexpectation of privacy, may nevertheless receivecertain statutory protections under Title III.Prosecutors must therefore consider whether thestatutory exceptions to Title III permit anyproposed monitoring. The following are threestatutory exceptions that appear to offer potentialalternatives to the administrative and judicialburdens involved in seeking court-orderedmonitoring under Title III.

Consent of a Party “Acting Under Color ofLaw”

The most commonly used exception to TitleIII’s requirements permits “a person acting undercolor of law” to intercept an “electroniccommunication” where “such person is a party tothe communication, or one of the parties to thecommunication has given prior consent to suchinterception.” 18 U.S.C. § 2511(2)(c).

While there are not many judicial decisions inthis area, two circuits appear to recognize that theowner of a computer may be considered a “partyto the communication” and thus can consent to thegovernment monitoring electroniccommunications between that computer and ahacker. See United States v. Mullins, 992 F.2d1472, 1478 (9th Cir. 1993); United States v.Seidlitz, 589 F.2d 152, 158 (4th Cir. 1978). Thus,this exception appears to permit a victim tomonitor and to authorize the government to


monitor, hacking activity directly with his or hercomputer.

By contrast, if the communication merelypasses through a victim’s computer, a court mayconsider it a strain to conclude that the victimcomputer is a “party” to the communication.Technically, the victim’s computer is receivingelectronic communications and passing them on todownstream victims and/or confederates of thesubject hacker. The literal possibility ofmonitoring this downstream traffic is present, asall the data streams through the victim’scomputer, but is the victim a “party to thecommunication” if the communications are simplypassing through its system? A court may concludethat the owner is not a “party” capable of givingconsent to key stroke monitoring given its passthrough role.

This is more than a metaphysical concern.Hackers regularly seek to pass through thecomputers of victims they have previously hackedto: (1) cover their trail when they arrive at theirnext victim or victims; (2) continue to make useof favorable features of a compromised networksuch as storage space, bandwidth, and processingspeed; (3) return to hacking tools they have leftthere for safekeeping; or (4) simply as a pattern ofpassing through old conquests to make sure theirprevious exploits have not been detected. Thissituation can arise even when a governmentcomputer is the initial victim. From there, thesubject may hop (typically telnet) to the nextnetwork without taking the trouble of backing outof the hacked system. It is possible that thedownstream network may not even be a truevictim, but rather may belong to a system friendlyto the subject hacker. In any event, the statutoryexception requires that this new victim give “priorconsent” to the monitoring, which will be almostan impossibility in the short term where the victimor victims typically cannot be known in advance.

Consent of a Party “Not Acting Under Color ofLaw”

Title III also permits “a person not actingunder color of law” to intercept an “electroniccommunication” where “such person is a party tothe communication, or one of the parties to the

communication has given prior consent to suchinterception.” 18 U.S.C. § 2511(2)(d).

In addition to permitting a victim to monitorcommunications to which he or she is a partybefore law enforcement gets involved, thisexception provides a very powerful tool to lawenforcement: obtaining the implied consent of thesubject hacker himself or herself throughcomputer “banners.”

Computer networks frequently make use ofcomputer banners that appear whenever a personlogs onto the network. Each of us, for example,passes through such a banner each day when welog onto the Department of Justice’s computernetwork. A banner is nothing more than aprogram that is installed to appear whenever auser attempts to enter a network from a designatedpoint of entry known as a “port.” Banners varysubstantially in wording, but they usually informthe user that: (1) the user is on a private network;and (2) by proceeding, the user is consenting to allforms of monitoring. Government networksalready employ such broad-based banners, and weencourage private industry to follow suit.Businesses are often amenable to doing so,although often for non-law enforcement purposes,such as the monitoring of their employees’ use ofthe Internet.

Thus, the subject hacker gives impliedconsent to monitoring whenever he or she passesthrough a properly worded banner. A properlyworded banner should also result in impliedconsent by the subject hacker to the monitoring ofall downstream activities, thus alleviating Title IIIconcerns in much the same way as telephonemonitoring of inmates, based on implied consent,has been upheld by the courts.

Due to their pervasiveness, the presence ofbanners is unlikely to deter or arouse suspicion ina subject who has already decided to enter anetwork illegally. In the case where a privatenetwork failed to have a sufficiently broad bannerto permit monitoring, a later attempt to add abanner between visits may cause suspicion on thepart of the hacker. Even in this situation, however,the very nature of the hacking experiencefrequently involves the constant cat and mousegame between network system administrators,


seeking to remove hackers from their systems byterminating a compromised account and/or by“patching” the vulnerability that permitted thehackers to illegally enter the network, and thehackers attempting to return to the system andovercome and disable its security features. Thus,the addition of a new banner may not concern adedicated hacker. The subject hacker may not beaware that Title III may prevent law enforcementfrom monitoring all of the intruder’s activitieswhile he or she is connected to the compromisedcomputer network.

Finally, there are technical limitations to theuse of banners. Computer systems are designed tohave hundreds of ports for different types of usessuch as electronic mail, remote log-in, or telnet.Most of these ports are not in use and remainclosed, and can only be opened by a systemadministrator, or by a hacker who has illegallyobtained the same privileges as a systemadministrator. Due to the technical nature of theseports, which goes beyond the scope of this article,it is not possible to install a banner or othermessage on a certain percentage of the ports. It ispossible for a determined hacker to gain the sameprivileges (known as “superuser” or “root” status)on a network and open one or more of these ports,perhaps to serve as a future “back door” means ofentry. Having once been given notice that thesubject has given implied consent to monitoringby making use of a network, however, thatconsent should be valid for future use whetherentry was made through a bannered or a non-bannered port. The only question this possibilityraises is whether an affiliated or unaffiliatedhacker might use one of these non-bannered portsfor entry, and never pass through a banner.

Protection of the Rights and Property of theProvider

Title III also permits providers of acommunication service, including an electroniccommunication service, the right to interceptcommunications as a “necessary incident to therendition of his service” or to protect “the rightsor property of the provider of that service.” 18U.S.C. § 2511(2)(a)(i).

This exception permits a private party tomonitor activities on its system to prevent misuse

of the system through damage, fraud, or theft ofservices. Since computer hacking often involvesdamage or disabling of a network's computersecurity system, as well as theft of the network'sservice, this exception permits a systemadministrator to monitor the activities of a hackerwhile on the network.

This exception to Title III has somesignificant limitations. One important limitation isthat the monitoring must be reasonably connectedto the protection of the provider’s service, and notas a pretext to engage in unrelated monitoring.While no court has explored what this limitationmeans in the computer context, by way ofanalogy, one court has held that a telephonecompany may not monitor all the conversations ofa user of an illegal clone phone unrelated to theprotection of its service. See McClelland v.McGrath, 31 F. Supp.2d 616 (N.D. Ill. 1998).

Furthermore, the right to monitor is justifiedby the right to protect one’s own system fromharm. An ISP, for example, may not be able tomonitor the activities of one of its customersunder this exception for allegedly engaging inhacking activities on other networks. Thislimitation also makes it harder for a networkadministrator to justify the monitoring of hackingactivities of a subject who has jumped to a newdownstream victim. This potential limitation isunfortunate as it becomes more applicableprecisely when the consent of a “party to thecommunication” is also at its weakest.

Another important limitation of this exceptionis that it does not permit a private provider of thecommunication service to authorize thegovernment to conduct the monitoring; themonitoring must be done by the provider itself.Thus, where a provider lacks the technical orfinancial resources, or desire to engage inmonitoring itself, it may be difficult for thegovernment to step in to assist. Similarly, insituations where the government becomes awarethat an ISP or network system administrator ismonitoring illegal activity in order to protect its“rights and property,” the government should becareful not to direct or participate in themonitoring, or cause it to be continued, becausethe provider may be deemed an agent of the


government, and the exception may not apply.Compare United States v. Pervaz, 118 F.3d 1 (1st

Cir. 1997), with McClelland, infra.

Even with these limitations, the providerexception can be very useful, particularly when asystem administrator aggressively chooses toinvestigate hacking activity, or when the victimcomputer network is owned by the government.The technical gap in the use of implied consentdescribed above, the inability to place consentbanners on certain ports, can be filled by the useof the provider exception to monitor computerintrusions coming through these ports.

Conclusion

While Title III concerns are only one of thepotential issues raised by proactive investigationsin the computer context (others may includeentrapment or even third-party liability), they arecertainly among the most important. When all elsefails, the prosecutor can always seek a Title IIIinterception order. While this requires bothdepartmental and judicial approval, there are afew aspects of obtaining such a “datatap” orderthat may make it less of a burden than obtaining atraditional telephone wiretap order. First, withrespect to the interception of electroniccommunications, law enforcement is not limitedtopredicate offenses, but rather may seek it for anyfederal felony (note that some forms of hackingmay constitute only a misdemeanor). See 18U.S.C. § 2516(3). Second, with respect to therecording on or through a victim computer, theactual hacking activities typically constitute afederal felony, thus meeting the probable causestandards for seeking the authorization will besimple. See 18 U.S.C. § 2518(3)(a). Third, the

method of recording the results of the datatap arenot difficult; the information can be obtainedusing specialized software or commerciallyavailable sniffer programs. Finally, minimizationpresents far less of a problem than it does for theexecution of a traditional wiretap. See 18 U.S.C. §2518(5). The burdens encountered and time lost inseeking Title III authorization makes the properuse of the exceptions discussed in this articleextremely useful tools in investigating criminalactivity. With the aid of proper monitoring, aswell as the use of the many tools to obtainhistorical activities of subject hackers, lawenforcement can overcome the potentialanonymity provided by a computer, and identifyand prosecute those criminals who abuse it toviolate the law.

For more information on how Title III appliesto the Internet, see Chapter 4 of the ComputerCrime and Intellectual Property Section's newmanual "Searching and Seizing Computers andObtaining Electronic Evidence in CriminalCriminal Investigations. It is available atwww.cybercrime.gov/searchmanual.htm"ò

ABOUT THE AUTHOR

ëRobert Strang has been an AssistantUnited States Attorney for the Southern District ofNew York since 1997, where he currently servesas Computer Telecommunications Coordinator.a


Identity Theft: The Crime of the NewMillenniumSean B. HoarAssistant United States AttorneyDistrict of Oregon

The Nature of the Problem

Identity theft has been referred to by some asthe crime of the new millennium. It can beaccomplished anonymously, easily, with a varietyof means, and the impact upon the victim can bedevastating. Identity theft is simply the theft ofidentity information such as a name, date of birth,Social Security number (SSN), or a credit cardnumber. The mundane activities of a typicalconsumer during the course of a regular day mayprovide tremendous opportunities for an identitythief: purchasing gasoline, meals, clothes, ortickets to an athletic event; renting a car, a video,or home-improvement tools; purchasing gifts ortrading stock on-line; receiving mail; or taking outthe garbage or recycling. Any activity in whichidentity information is shared or made available toothers creates an opportunity for identity theft.

It is estimated that identity theft has becomethe fastest-growing financial crime in Americaand perhaps the fastest-growing crime of any kindin our society. Identity Theft: Is There AnotherYou?: Joint hearing before the House Subcomms.on Telecommunications, Trade and ConsumerProtection, and on Finance and HazardousMaterials, of the Comm. on Commerce, 106th

Cong. 16 (1999) (testimony of Rep. John B.Shadegg). The illegal use of identity informationhas increased exponentially in recent years. Infiscal year 1999 alone, the Social SecurityAdministration (SSA) Office of Inspector General(OIG) Fraud Hotline received approximately62,000 allegations involving SSN misuse. Thewidespread use of SSNs as identifiers has reducedtheir security and increased the likelihood thatthey will be the object of identity theft. Theexpansion and popularity of the Internet to effectcommercial transactions has increased the

opportunities to commit crimes involving identitytheft. The expansion and popularity of the Internetto post official information for the benefit ofcitizens and customers has also increasedopportunities to obtain SSNs for illegal purposes.

On May 31, 1998, in support of the IdentityTheft and Assumption Deterrence Act, theGeneral Accounting Office (GAO) released abriefing report on issues relating to identity fraudentitled “Identity Fraud: Information onPrevalence, Cost, and Internet Impact is Limited”.The report found that methods used to obtainidentity information ranged from basic street theftto sophisticated, organized crime schemesinvolving the use of computerized databases orthe bribing of employees with access to personalinformation on customer or personnel records.The report also found the following: In 1995, 93percent of arrests made by the U.S. Secret ServiceFinancial Crimes Division involved identity theft.In 1996 and 1997, 94 percent of financial crimesarrests involved identity theft. The Secret Servicestated that actual losses to individuals andfinancial institutions which the Secret Service hadtracked involving identity fraud totaled $442million in fiscal year 1995, $450 million in fiscalyear 1996, and $745 million in fiscal year 1997.The SSA OIG stated that SSN misuse inconnection with program fraud increased from305 in fiscal year 1996 to 1,153 in fiscal year1997. Postal Inspection investigations showed thatidentity fraud was perpetrated by organized crimesyndicates, especially to support drug trafficking,and had a nationwide scope. Trans UnionCorporation, one of the three major national creditbureaus, stated that two-thirds of its consumerinquiries to its fraud victim department involvedidentity fraud. Such inquiries had increased froman average of less than 3,000 a month in 1992 toover 43,000 a month in 1997. VISA U.S.A., Inc.,and MasterCard International, Inc. both stated thatoverall fraud losses from their member bankswere in the hundreds of millions of dollars


annually. MasterCard stated that dollar lossesrelating to identity fraud represented about 96percent of its member banks' overall fraud lossesof $407 million in 1997.

Victims of identity theft often do not realizethey have become victims until they attempt toobtain financing on a home or a vehicle. Onlythen, when the lender tells them that their credithistory makes them ineligible for a loan, do theyrealize something is terribly wrong. When theyreview their credit report, they first become awareof credit cards for which they have never applied,bills long overdue, unfamiliar billing addresses,and inquiries from unfamiliar creditors. Even ifthey are able to identify the culprit, it may takemonths or years, tremendous emotional anguish,many lost financial opportunities, and large legalfees, to clear up their credit history.

How Does Identity Theft Occur?

Identity theft occurs in many ways, rangingfrom careless sharing of personal information, tointentional theft of purses, wallets, mail, or digitalinformation. In public places, for example, thievesengage in "shoulder surfing" n watching you froma nearby location as you punch in your telephonecalling card number or credit card number n orlisten in on your conversation if you give yourcredit card number over the telephone. Inside yourhome, thieves may obtain information from yourpersonal computer while you are on-line and theyare anonymously sitting in the comfort of theirown home. Outside your home, thieves steal yourmail, garbage, or recycling. Outside medicalfacilities or businesses, thieves engage in“dumpster diving” n going through garbage cans,large dumpsters, or recycling bins n to obtainidentity information which includes credit or debitcard receipts, bank statements, medical recordslike prescription labels, or other records that bearyour name, address, or telephone number.

In a recent case in the District of Oregon, aring of thieves obtained identity information bystealing mail, garbage, and recycling material, bybreaking into cars, and by hacking into web sitesand personal computers. The thieves traded thestolen information for methamphetamine, cellulartelephones, or other favors. Before they werearrested, they had gained access to an estimated

400 credit card accounts and had made anestimated $400,000 in purchases on thosefraudulently obtained accounts. One aspect of thecase involved the theft of preapproved credit cardsolicitations, activating the cards, and having themsent to drop boxes or third-party addresses.Another scam involved taking names, dates ofbirth, and SSNs from discarded medical,insurance, or tax information and obtaining creditcards at various sites on the Internet. The thievesfound most credit card companies to be unwittingallies. One of the thieves boasted aboutsuccessfully persuading a bank to grant a highercredit limit on a fraudulently obtained credit cardaccount. Another aspect of the case involved theuse of a software application to hack intocommercial web sites or personal computers andmirror keystrokes to capture credit card accountinformation. Two of the offenders wereprosecuted federally for conspiracy to commitcomputer fraud and mail theft under 18 U.S.C.§§ 1030(a)(4), 371and 1708, and consented to theforfeiture of computer equipment obtained as aresult of the fraud-related activity pursuant to 18U.S.C. § 982(a)(2)(B). One defendant wassentenced to serve a forty-one month term ofimprisonment and pay $70,025.98 in restitution.United States v. Steven Collis Massey, CR 99-60116-01-AA (D.Or. 1999). The other defendantwas sentenced to serve a fifteen month term ofimprisonment and pay $52,379.03 in restitution.United States v. Kari Bahati Melton, CR 99-60118-01-AA (D.Or. 1999).

How Can Identity Theft Be Investigated andProsecuted?

The investigation of identity theft is laborintensive and individual cases are usuallyconsidered to be too small for federal prosecution.Perpetrators usually victimize multiple victims inmultiple jurisdictions. Victims often do not realizethey have been victimized until weeks or monthsafter the crime has been committed, and canprovide little assistance to law enforcement. Inshort, identity theft has become thefastest-growing financial crime in America andperhaps the fastest-growing crime of any kind inour society, because offenders are seldom heldaccountable. Consequently, it has become apriority for the Departments of Justice and


Treasury and the Federal Trade Commission(FTC) to pursue effective means of prevention,investigation, and prosecution of identity theftoffenses. Toward that end, workshops wererecently held for the purpose of identifying thebest practices to combat identity theft, includingremediation, prevention, and law enforcementstrategies. Workshop participants includedprevention specialists, federal agencyrepresentatives, state and federal investigators,and state and federal prosecutors.

The experience of workshop participants isthat law enforcement agencies at all levels, federaland non-federal, must work together investigatingidentity theft. Multi-agency task forces haveproven successful in investigating and prosecutingidentity theft. By utilizing task forces, memberagencies pool scarce resources to investigate andprosecute identity theft offenses, and provideprevention training. Workshop participants alsoindicated that outreach to private industry isnecessary as a prevention strategy, and itfacilitates the identification of offenders.

Identity theft cases involving large numbersof victims present unique challenges. Onechallenge is communication with victims.Communication is necessary to obtainfundamental investigative information, includingloss and restitution information. In complex cases,it is imperative to devise a system forcommunication with the victims at the outset ofthe case. The AUSA should work withvictim/witness units to identify the bestcommunication system for the case. The AUSAshould also work with the system administrator todevelop a link from the district’s web site for on-line communication with victims. The link canprovide access to a data base into which victimscan enter case-related information. The link canalso be used to provide updates on the status ofthe case. Notification to the victims regardingtheir use of the web site can be provided through aform letter accompanying an investigative surveywhich must be completed, in any event, to obtainloss and restitution information.

1. Federal Criminal Laws

There are a number of federal laws applicableto identity theft, some of which may be used for

prosecution of identity theft offenses, and some ofwhich exist to assist victims in repairing theircredit history. The primary identity theft statute is18 U.S.C. § 1028(a)(7) and was enacted onOctober 30, 1998, as part of the Identity Theft andAssumption Deterrence Act (Identity Theft Act).The Identity Theft Act was needed because 18U.S.C. § 1028 previously addressed only thefraudulent creation, use, or transfer ofidentification documents, and not the theft orcriminal use of the underlying personalinformation. The Identity Theft Act added§ 1028(a)(7) which criminalizes fraud inconnection with the unlawful theft and misuse ofpersonal identifying information, regardless ofwhether the information appears or is used indocuments. Section 1028(a)(7) provides that it isunlawful for anyone who:

knowingly transfers or uses, withoutlawful authority, a means of identificationof another person with the intent tocommit, or to aid or abet, any unlawfulactivity that constitutes a violation ofFederal law, or that constitutes a felonyunder any applicable State or locallaw. . . .

The Identity Theft Act amended the penaltyprovisions of § 1028(b) by extending its coverageto offenses under the new § 1028(a)(7) andapplying more stringent penalties for identitythefts involving property of value. Section1028(b)(1)(D) provides for a term ofimprisonment of not more than fifteen years whenan individual commits an offense that involves thetransfer or use of one or more means ofidentification if, as a result of the offense,anything of value aggregating $1,000 or moreduring any one year period is obtained. Otherwise,§ 1028(b)(2)(B) provides for imprisonment of notmore than three years. The Identity Theft Actadded § 1028(f) which provides that attempts orconspiracies to violate § 1028 are subject to thesame penalties as those prescribed for substantiveoffenses under § 1028.

The Identity Theft Act amended § 1028(b)(3)to provide that if the offense is committed tofacilitate a drug trafficking crime, or in connectionwith a crime of violence, or is committed by a


person previously convicted of identity theft, theindividual is subject to a term of imprisonment ofnot more than twenty years. The Identity TheftAct also added § 1028(b)(5) which provides forthe forfeiture of any personal property used orintended to be used to commit the offense.

Section 1028(d)(3) defines “means ofidentification”, as used in § 1028(a)(7), to include“any name or number that may be used, alone orin conjunction with any other information, toidentify a specific individual.” It covers severalspecific examples, such as name, social securitynumber, date of birth, government issued driver’slicense and other numbers; unique biometric data,such as fingerprints, voice print, retina or irisimage, or other physical representation; uniqueelectronic identification number; andtelecommunication identifying information oraccess device.

Section 1028(d)(1) modifies the definition of“document-making implement” to includecomputers and software specifically configured orprimarily used for making identity documents.The Identity Theft Act is intended to cover avariety of individual identification informationthat may be developed in the future and utilized tocommit identity theft crimes.

The Identity Theft Act also directed theUnited States Sentencing Commission to reviewand amend the Sentencing Guidelines to provideappropriate penalties for each offense underSection 1028. The Sentencing Commissionresponded to this directive by adding U.S.S.G.§ 2F1.1(b)(5) which provides the following:

(5) If the offense involved –

(A) the possession or use of anydevice-making equipment;

• the production or trafficking ofany unauthorized access device orcounterfeit access device; or

• (i) the unauthorized transfer oruse of any means of identificationunlawfully to produce or obtainany other means of identification;or (ii) the possession of [five] ormore means of identification that

unlawfully were produced fromanother means of identification orobtained by the use of anothermeans of identification,

increase by 2 levels. If the resultingoffense level is less than level 12, increaseto level 12.

These new guidelines take into consideration thefact that identity theft is a serious offense, whetheror not certain monetary thresholds are met. Formost fraud offenses, the loss would have to bemore than $70,000.00 for the resulting offenselevel to be level 12. U.S.S.G. § 2F1.1(b)(1)(G). Inproviding for a base offense level of 12 foridentity theft, the Sentencing Commissionacknowledged that the economic harm fromidentity theft is difficult to quantify, and thatwhatever the identifiable loss, offenders should beheld accountable. Identity theft offenses willusually merit a two-level increase because theyoften involve more than minimal planning or ascheme to defraud more than one victim. U.S.S.G.§ 2F1.1(b)(2). Identity theft offenses may alsoprovide for two to four-level upwardorganizational role adjustments when multipledefendants are involved. U.S.S.G. § 3B1.1

The Identity Theft Act also directed the FTCto establish a procedure to log in and acknowledgereceipt of complaints from victims of identitytheft, to provide educational materials to thesevictims, and to refer the complaints to appropriateentities. The FTC has responded to this directiveby developing a web site, great educationalmaterials, a hotline for complaints, and a centraldatabase for information. The web site can befound at www.consumer.gov/idtheft. The hotlineis 1-877-ID THEFT. Identity theft complaints areentered into Consumer Sentinel, a secure, on-linedatabase available to law enforcement. The FTChas become a primary referral point for victims ofidentity theft, and a tremendous resource for thesevictims and law enforcement.

2. Other Federal Offenses

Identity theft is often committed to facilitateother crimes, although it is frequently the primarygoal of the offender. Schemes to commit identitytheft may involve a number of other statutes


including identification fraud (18 U.S.C.§ 1028(a)(1) - (6)), credit card fraud (18 U.S.C.§ 1029), computer fraud (18 U.S.C.§ 1030), mailfraud (18 U.S.C. § 1341), wire fraud (18 U.S.C.§ 1343), financial institution fraud (18 U.S.C.§ 1344), mail theft (18 U.S.C. § 1708), andimmigration document fraud (18 U.S.C. § 1546).For example, computer fraud may be facilitatedby the theft of identity information when stolenidentity is used to fraudulently obtain credit on theInternet. Computer fraud may also be the primaryvehicle to obtain identity information when theoffender obtains unauthorized access to anothercomputer or web site to obtain such information.These acts might result in the offender beingcharged with both identity theft under 18 U.S.C.§ 1028(a)(7) and computer fraud under 18 U.S.C.§ 1030(a)(4). Regarding computer fraud, note thatU.S.S.G. § 2F1.1(c)(1) provides a minimumguideline sentence, notwithstanding any otheradjustment, of a six month term of imprisonmentif a defendant is convicted of computer fraudunder 18 U.S.C. § 1030(a)(4).

Several examples of how identity theftschemes may involve other statutes may behelpful. These include the case of an offender whofraudulently obtains identity information byposing as an employer in correspondence with acredit bureau. This offender might appropriatelybe charged with both identity theft under 18U.S.C. § 1028(a)(7) and mail fraud under 18U.S.C. § 1341. An offender who steals mailthereby obtaining identity information mightappropriately be charged with identity theft under18 U.S.C. § 1028(a)(7) and mail theft under 18U.S.C. § 1708. The offender who fraudulentlyposes as a telemarketer thereby obtaining identityinformation might appropriately be charged withboth identity theft under 18 U.S.C. § 1028(a)(7)and wire fraud under 18 U.S.C. § 1343.

3. Recent Federal Cases

A number of cases have recently beenprosecuted under 18 U.S.C. § 1028(a)(7)including the following:

In the Central District of California, a manwas sentenced to a twenty-seven month term ofimprisonment for obtaining private bank accountinformation about an insurance company's

policyholders, while serving as a temporaryemployee of the company. Thereafter he used thatinformation to deposit over $764,000 incounterfeit bank drafts and withdraw funds fromaccounts of policyholders. United States v.Anthony Jerome Johnson, CR 99-926 (C.D.Ca.Jan. 31, 2000).

In the District of Delaware, one defendant wassentenced to a thirty-three month term ofimprisonment and $160,910.87 in restitution, andanother defendant to a forty-one month term ofimprisonment and $126,298.79 in restitution forobtaining names and SSNs of high-rankingmilitary officers from an Internet web site andusing them to apply on-line for credit cards andbank and corporate credit in the officers’ names.United States v. Lamar Christian, CR 00-3-1 (D.Del. Aug. 9, 2000); United States v. RonaldNevison Stevens, CR 00-3-2 (D.Del. Aug. 9,2000).

In the District of Oregon, seven defendantshave been sentenced to imprisonment for theirroles in a heroin/methamphetamine traffickingorganization, which included entering theUnited States illegally from Mexico and obtainingSSNs of other persons. The SSNs were then usedto obtain temporary employment andidentification documents in order to facilitate thedistribution of heroin and methamphetamine. Inobtaining employment, the defendants used falsealien registration receipt cards, in addition to thefraudulently obtained SSNs, which providedemployers enough documentation to completeemployment verification forms. Some of thedefendants also used the fraudulently obtainedSSNs to obtain earned income credits on taxreturns fraudulently filed with the InternalRevenue Service. Some relatives of narcoticstraffickers were arrested in possession of falsedocuments and were charged with possessingfalse alien registration receipt cards and withusing the fraudulently obtained SSNs to obtainemployment. A total of twenty-seven defendantshave been convicted in the case to date, fifteenfederally and twelve at the state level.United States v. Jose Manuel Acevez Diaz, CR 00-60038-01-HO (D.Or. Aug. 10, 2000);United States v. Pedro Amaral Avila, CR 00-60044-01-HO (D.Or. Nov. 7, 2000); United States


v. Jose Arevalo Sanchez; CR 00-60040-01-HO(D.Or. Nov. 21, 2000); United States v. MariaMersedes Calderon, CR 00-60046-01-HO (D.Or.May 10, 2000); United States v. Victor ManuelCarrillo, CR 00-60045-01-HO (D.Or. Oct. 24,2000); United States v. Alfonso Flores Ramirez,CR 00-60043-01-HO (D.Or. Aug. 30, 2000);United States v. Cleotilde Fregoso Rios, CR 00-60035-01-HO (D.Or. Nov. 7, 2000); United Statesv. Javier Hernandez Lopez, CR 00-60038-01-HO(D.Or. Aug. 10, 2000); United States v. RanulfoSalgado, CR 00-60039-01-HO (D.Or. Jan. 18,2001); United States v. Angel Sanchez, CR 00-60080-01-HO (D.Or. Aug. 31, 2000);United States v. Cresencio Sanchez, CR 00-60143-01-HO (D.Or. Dec. 13, 2000);United States v. Piedad Sanchez, CR 00-60131-01-HO (D.Or. Jan. 9, 2001); United States v. NoelSanchez Gomez, CR 00-60034-01-HO (D.Or.Dec. 12, 2000); United States v. Kelly WayneTalbot, CR 00-60081-01-HO (D.Or. Dec. 31,2000); United States v. Jose Venegas Guerrero,CR 00-60037-01-HO (D.Or. Nov. 21, 2000); Stateof Oregon v. Fred Harold Davis, Case No.006276FE (Jackson County Dec. 13, 2000); Stateof Oregon v. Pablo Macias Ponce, Case No.004317MI (Jackson County Sept. 13, 2000); Stateof Oregon v. Raul Navarro Guiterrez, Case No.005257FE (Jackson County Nov. 8, 2000); Stateof Oregon v. Miranda Mae Byrne, Case No.004363FE (Jackson County Jan. 9, 2001); State ofOregon v. James Tracy Campbell, Case No.002376FE (Jackson County Oct. 18, 2000); Stateof Oregon v. Ann Marie Eaton, Case No.002378FE (Jackson County Aug. 25, 2000); Stateof Oregon v. Michael Scott Gilhousen, Case No.002225FE (Jackson County Nov. 7, 2000); Stateof Oregon v. Robert Dean Golden, Case No.002726FE (Jackson County Oct. 18, 2000); Stateof Oregon v. Annetta Lynn Kelley, Case No.002377FE (Jackson County July 24, 2000); Stateof Oregon v. Gerald Jerome King, Case No.003594FE (Jackson County Oct. 31, 2000); Stateof Oregon v. Micah John Right, Case No.002374FE (Jackson County Sept. 7, 2000); andState of Oregon v. Todd Ivan Williams, Case No.004533FE (Jackson County Jan. 12, 2001).

4. Federal Credit Laws

It is important for training purposes and toassist victims in repairing damage to their credithistory that prosecutors have at least a cursoryunderstanding of credit laws that impact identitytheft. The Fair Credit Reporting Act establishesprocedures and time frames for correctingmistakes on credit records and requires that yourrecord only be provided for legitimate business,credit, or employment needs. 15 U.S.C. § 1681et seq. The Truth in Lending Act limits liabilityfor unauthorized credit card charges in most casesto $50.00. 15 U.S.C. § 1601 et seq. The FairCredit Billing Act establishes procedures forresolving billing errors on credit card accounts ifthe unauthorized charge is reported within certaintime frames. 15 U.S.C. § 1666. The Fair DebtCollection Practices Act prohibits debt collectorsfrom using unfair or deceptive practices to collectoverdue bills that your creditor has forwarded forcollection. 15 U.S.C. § 1692. The Electronic FundTransfer Act provides consumer protections fortransactions using a debit card or electronic meansto debit or credit an account. It also limits aconsumer's liability for unauthorized electronicfund transfers if the unauthorized transfer isreported within certain time frames. 15 U.S.C.§ 1693. If an ATM or debit card is reported lost orstolen within two business days of the loss ortheft, the losses are limited to $50.00. If reportedafter two business days but within 60 days of thefirst statement showing an unauthorized transfer,the losses are limited to $500.00. Otherwise,losses may only be limited by the amountobtained. 15 U.S.C. § 1693(g)(a).

5. State Criminal Laws

Most states have laws prohibiting the theft ofidentity information. Where specific identity theftlaws do not exist, the practices may be prohibitedunder other state laws or the states may beconsidering such legislation. The following is alist of current state laws which prohibit the theftof identity information: Ariz. Rev. Stat.§ 13-2008; Ark. Code Ann. § 5-37-227; Cal.Penal Code § 530.5; 2000 Colo. Legis. Serv. ch159 (May 19, 2000); 1999 Conn. Acts 99-99; Del.Code Ann. tit. 11, § 854; Fla. Stat. Ann.§ 817.568; Ga. Code Ann. § 16-9-121 to 16-9-


127; Idaho Code § 18-3126; 720 Ill Comp.Stat.5/16G; Ind.Code § 35-43-5-4 (2000); Iowa Code§ 715A.8); Kan. Stat. Ann. § 21-4018; Ky. Rev.Stat. Ann. § 514.160; La. Rev. Stat. Ann. § 67.16;Me. Rev. Stat. Ann. tit. 17-A, § 354-2A; Md.Ann. Code art. 27, § 231; Mass. Gen. Laws ch.266, § 37E; Minn. Stat. Ann. § 609.527; Miss.Code Ann. § 97-19-85; Mo. Rev. Stat. § 570.223;Neb. Rev. State. § 28-101; Nev. Rev. Stat.§ 205.465; N.H. Rev. Stat. Ann. § 638:26; N.J.Stat. Ann. § 2C:21-17; N.C. Gen. Stat.§ 14-113.20; N.D. Cent. Code § 12.1-23-11; OhioRev. Code Ann. 2913.49; Okla. Stat. tit. 21,§ 1533.1; Or. Rev. Stat. § 165.800; Pa. Cons. Stat.Ann. § 420; R.I. Gen. Laws § 11-49.1-1; S.C.Code Ann. § 16-13-500; S.D. Codified Laws 20;Tenn. Code Ann. § 39-14-150; Tex. Penal CodeAnn.§ 35.51; Utah Code Ann. § 76-6-1101-1104;VA. Code Ann. § 18.2-186.3; Wash. Rev. Code§ 9.35; W. Va. Code Ann. § 61-3-54; Wis. Stat.§ 943.201; Wyo. Stat. Ann. § 6-3-901.

How Can Identity Theft Be Prevented?

While it is extremely difficult to preventidentity theft, the best approach is to be proactiveand take steps to avoid becoming a victim. Asprosecutors, it is important to learn how to preventidentity theft in order to provide training to lawenforcement and private industry. We can alsocomplement the assistance to victims provided byour victim/witness units. A thorough guide topreventing and responding to identity theft can befound in Mari Frank and Beth Givens, PrivacyPiracy! A Guide to Protecting Yourself fromIdentity Theft, Office Depot, (1999). Relatedinformation can be found atwww.identitytheft.org. The FTC has alsopublished a helpful guide entitled FTC, ID Theft:When Bad Things Happen to Your Good Name,(August 2000). This and related information canbe found at www.consumer.gov/idtheft. Also, theUnited States Postal Inspection Service hasproduced an excellent video about identity theftentitled IDENTITY THEFT: The Game of theName.

1. Only Share Identity Information WhenNecessary.

Be cautious about sharing personalinformation with anyone who does not have a

legitimate need for the information. For instance,credit card numbers should never be provided toanyone over the telephone unless the consumerhas initiated the call and is familiar with the entitywith whom they are doing business. Likewise,SSNs should not be provided to anyone other thanemployers or financial institutions who need theSSN for wage, interest and tax reporting purposes.Businesses may legitimately inquire about a SSNif doing a credit check for purposes of financing apurchase. Some entities, however, may simplywant the SSN for record-keeping purposes.Businesses may choose to not provide a service orbenefit without obtaining a person’s SSN, but thechoice as to whom a SSN is provided should beexercised with caution. In the event an entity, suchas a hospital or a Department of Motor Vehicles(DMV), assigns a SSN as a patient or clientidentification number, the customer shouldrequest that an alternative number be assigned.

2. When in Public, Exercise Caution WhenProviding Identity Information.

“Shoulder surfers” regularly glean suchinformation for their fraudulent use. Be especiallycautious when entering account information at anAutomatic Teller Machine (ATM), or whenentering long-distance calling card information ona public telephone. Likewise, be cautious whenorally providing this type of information on apublic telephone. Also, do not put identityinformation, such as an address or license platenumber, on a key ring or anything similar that caneasily be observed or lost. Identity information onsuch objects simply provides thieves easier meansof finding and accessing homes and cars.

3. Do Not Carry Unnecessary Identity Informationin a Purse or Wallet.

According to the FTC Identity TheftClearinghouse, the primary means for thieves toobtain identity information is through the loss ortheft of purses and wallets. To reduce the risk thatidentification information might bemisappropriated, only carry the identityinformation necessary for use during the course ofdaily activities such as a driver’s license, onecredit or debit card, an insurance card, andmembership cards that are regularly required foruse. There should be no need to carry a Social


Security card, or anything containing a SSN.Likewise, there should be no need to carry a birthcertificate or a passport. These items should bekept under lock and key in a safe or a safetydeposit box. Credit or debit cards that are notregularly used should also be removed from apurse or wallet. The fewer pieces of identificationcarried in a purse or wallet, the easier it is toidentify an individual piece that may have beenlost or stolen, and the easier the task of notifyingcreditors and replacing such information should apurse or wallet be lost or stolen.

4. Secure Your Mailbox.

According to the FTC, the second mostsuccessful means for thieves to obtain identityinformation is through stolen mail. Many thievesfollow letter carriers at a discreet distance andsteal mail immediately after it has been deliveredto a residential mail box. Do not place outgoingmail in residential mail boxes. Doing so,especially raising a red flag on a mail box tonotify the postal carrier of outgoing mail, issimply an invitation to steal. Deposit outgoingmail in locked post office collection boxes or at alocal post office. If you prefer to have maildelivered to your residential address, install a mailbox which is secured by lock and key. Promptlyremove mail after it has been delivered to yourmailbox.

5. Secure Information on Your PersonalComputer.

Similar to telephonic inquiries, credit cardnumbers should not be provided to anyone on theInternet unless the consumer has initiated thecontact and is familiar with the entity with whomthey are doing business. In addition to cautiouslychoosing with whom identity information isshared, computer users should install a firewall ontheir personal computers to prevent unauthorizedaccess to stored information. A personal firewallis designed to run on an individual personalcomputer and isolate it from the rest of theInternet, thereby preventing unauthorized accessto the computer. The user sets the level of desiredsecurity and the firewall inspects each packet ofdata to determine if it should be allowed to get toor from the individual machine, consistent withthe level of security. A firewall is especially

necessary for Digital Subscriber Line (DSL),cable modem, or other “always-on” connections.There are a number of quality firewall softwareapplications that can be downloaded as freewarefrom sites on the Internet.

6. Keep Financial and Medical Records in aSecure Location.

Thieves may be more interested in identityinformation from which they can access credit,than in physical property. It is important,therefore, to keep all financial and medicalrecords, and any other information containingidentity information, in a secure location underlock and key.

7. Shred Nonessential Material ContainingIdentity Information.

All nonessential documentary materialcontaining any type of identity information shouldbe shredded prior to being placed in garbage orrecycling. The term “nonessential” should beinterpreted as anything that an individual orbusiness is not required by law or policy to retain.For individuals this includes credit or debit cardreceipts, canceled bank checks and statements,outdated insurance or financial information, andjunk mail, especially pre-approved creditapplications and subscription solicitations. Forbusinesses or medical facilities, this includesreceipts of completed credit or debit cardtransactions, outdated client files, or prescriptionlabels. The best shredding is done through a cross-cut shredder which cuts paper into small pieces,making it extremely difficult to reconstructdocuments. Expired credit or debit cards shouldalso be cut into several pieces before beingdiscarded.

8. “Sanitize” the Contents of Garbage andRecycling.

All nonessential documentary materialcontaining any type of identity information shouldbe shredded before being placed in garbage orrecycling. While junk mail or old financialdocuments may appear to be innocuous, they canbe a gold mine when obtained by an identity thief.

9. Ensure That Organizations Shred IdentityInformation.


Many businesses, firms, and medical facilitiesare not sensitive to privacy issues arising fromdiscarded material. Many of these entitiesregularly dispose of material containing customeridentity information, i.e. customer orders, receipts,prescription labels, etc., into garbage cans,dumpsters, or recycling bins without shreddingthe material. Tremendous damage can be done bythese practices. Customers of businesses, clientsof firms, and patients of medical facilities shouldinsist that all data be shredded before beingdiscarded and that all retained data be kept insecure storage.

10. Remove Your Name from Mailing Lists.

Removing a name from a mailing list reducesthe number of commercial entities having accessto the identity information. It also reduces theamount of junk mail, including pre-approvedcredit applications and subscription solicitations,thereby reducing the risk that the theft of suchmail will compromise privacy. Many financialinstitutions, such as banks and credit cardcompanies, and even state agencies, marketidentity information of customers unless a requestis received, in writing, that such information is notto be shared. Customers of such businesses andagencies should submit such requests, notifyingthe entity in writing of their desire to opt out ofany mailing lists, and to not have identityinformation shared.

To opt out of the mailing lists of the threemajor credit bureaus (Equifax, Experian, andTrans Union), call 1-888-5OPT-OUT. To opt outof many national direct mail lists, write the DirectMarketing Association, DMA Preference Service,P.O. Box 9008, Farmingdale, N.Y. 11735-9008.To opt out of many national direct e-mail lists,visit www.e-mps.org. To opt out of many nationaltelemarketer lists, send your name, address andtelephone number to the Direct MarketingAssociation, DMA Telephone Preference Service,P.O. Box 9014, Farmingdale, N.Y. 11735-9014.

11. Carefully Review Financial Statements.

Promptly review all bank and credit cardstatements for accuracy. Pay attention to billingcycles. A missing bill may mean a thief has takenover an account and changed the billing address to

avoid detection. Report any irregularities to thebank or credit card company immediately.

12. Periodically Request Copies of Credit Reports.

Credit reports are available for $8.00 from thethree major credit bureaus (Equifax, Experian, andTrans Union). Credit bureaus must provide a freecopy of the report if it is inaccurate due to fraudand it is requested in writing. The reports shouldbe reviewed carefully to make sure nounauthorized accounts have been opened orunauthorized changes made to existing accounts.

To order a report from Equifax, visitwww.equifax.com, call 1-800-685-1111 or writeP.O. Box 740241, Atlanta, GA 30374-0241. Toorder a report from Experian, visitwww.experian.com, call 1-888-EXPERIAN(397-3742) or write P.O. Box 949, Allen, TX75013- 0949. To order a report from Trans Union,visit www.tuc.com, call 800-916-8800 or writeP.O. Box 1000, Chester, PA 19022.

What Steps Should Be Taken by a Victim ofIdentity Theft?

When someone realizes they have become avictim of identity theft, they should take thefollowing steps while keeping a log of allconversations, including dates, names, andtelephone numbers. The log should indicate anytime spent and expenses incurred in the eventrestitution can be obtained in a civil or criminaljudgment against the thief. All conversationsshould be confirmed in writing with thecorrespondence sent by certified mail, returnreceipt requested. All correspondence should bekept in a secure location, under lock and key.

First, the victim should contact the frauddepartments of each of the three major creditbureaus (Equifax, Experian, and Trans Union),inform the representative of the identity theft, andrequest that a “fraud alert” be placed on their file,as well as a statement asking that creditors call thevictim before opening any new accounts. This canhelp prevent an identity thief from openingadditional accounts in the victim’s name. Thevictim should inquire about how long the fraudalert will remain on the file, and what, if anything,must be done to extend the alert if necessary.Copies of credit reports from the credit bureaus


should also be ordered. The reports should bereviewed carefully to identify unauthorizedaccounts or unauthorized changes to existingaccounts. Also, if the reports indicate that any“inquiries” were made from companies thatopened fraudulent accounts, a request should bemade to remove the “inquiries” from the report. Arequest should also be made for the credit bureausto notify those who have received a credit reportin the last six months and alert them to thedisputed and erroneous information. The victimshould request a new copy of the reports after afew months, to verify that the requested changeshave been made, and to ensure no new fraudulentactivity has occurred.

To report fraud to Equifax, visitwww.equifax.com, call 1-800-525-6285 and writeP.O. Box 740241, Atlanta, GA 30374-0241. Toreport fraud to Experian, visit www.experian.com,call 1-888-EXPERIAN and write P.O. Box 949,Allen TX 75013-0949. To report fraud to TransUnion, visit www.tuc.com, call 1-800-680-7289and write Fraud Victim Assistance Division, P.O.Box 6790, Fullerton, CA 92634.

Second, the victim should contact the securityor fraud departments for any creditors of accountsin which fraudulent activity occurred. Thetelephone numbers for these creditors can beobtained from the credit bureaus. Creditors caninclude businesses, credit card companies,telephone companies and other utilities, and banksand other lenders. All conversations should beconfirmed with written correspondence. It isparticularly important to notify credit cardcompanies in writing because it is required by theconsumer protection laws set forth above. Thevictim should immediately close accounts thathave been tampered with and open new ones withnew Personal Identification Numbers (PINs) andpasswords.

Third, the victim should file a report with alocal police department or the police departmentwhere the identity theft occurred, if that can bedetermined. The victim should obtain a copy ofthe police report in the event creditors need proofof the crime. Even if the thief is not apprehended,a copy of the police report may assist the victimwhen dealing with creditors. The victim should

also file a complaint with the FTC. The FTCshould be contacted on its Identity Theft Hotlinetoll free at 1-877-ID THEFT (438-4338), TDD at1-202-326-2502, by mail at FTC Identity TheftClearinghouse, 600 Pennsylvania Avenue, N.W.,Washington, D.C. 20580, or atwww.consumer.gov/idtheft.

Fourth, certain situations may require additional action by the victim. For instance, if anidentity thief has stolen mail, it should be reportedto a local postal inspector. A phone number forthe nearest postal inspection service office can beobtained from a local post office or the U.S.Postal Service web site atwww.usps.com/postalinspectors. If financialinformation has been obtained, the financial entity(the bank, brokerage firm, credit union, credit cardcompany, etc.) should be contacted, thefraudulently affected accounts closed, and newaccounts opened with new PINs and passwords,including affected ATM cards. Payment should bestopped on any stolen checks, and banks or creditunions should be asked to request the appropriatecheck verification service to notify retailers not toaccept the checks. Three check verificationcompanies that accept reports of check frauddirectly from consumers are: Telecheck:1-800-710-9898; International Check Services:1-800-631-9656; and Equifax: 1-800-437-5120. Ifinvestments or securities may have been affected,brokers should be notified and the victim shouldfile a complaint with the Securities and ExchangeCommission (SEC). A complaint can be filed withthe SEC at the SEC Enforcement ComplaintCenter, 450 Fifth Street, NW, Washington, D.C.20549-0202; its web site www.sec.gov, [email protected], or fax (202) 942-9570.

If new phone service has fraudulently beenestablished in a victim’s name or billing forunauthorized service is made to an existingaccount, the victim should contact the serviceprovider immediately to cancel the account and/orcalling card and open new accounts with newPINs and passwords. If a victim has difficultyremoving fraudulent charges from an account, acomplaint should be filed with the FederalCommunications Commission (FCC). Acomplaint can be filed with the FCC at the FCCConsumer Information Bureau, 445 12th Street,


S.W., Room 5A863, Washington, DC 20554; theFCC Enforcement Bureau web sitewww.fcc.gov/eb, e-mail [email protected],telephone 1-888-CALL FCC, or TTY 1-888-TELL FCC.

If someone is using a victim’s SSN to applyfor a job or to work, it should be reported to theSocial Security Administration (SSA). The victimshould first visit the SSA’s web site atwww.ssa.gov, read the Guidelines for ReportingFraud, Waste, Abuse and Mismanagement, andthen call the SSA Fraud Hotline at1-800-269-0271, and file a report at SSA FraudHotline, P.O. Box 17768, Baltimore MD 21235,fax 410-597-0118 or e-mail [email protected] victim should also call the SSA at1-800-772-1213 to verify the accuracy of earningsreported under the SSN and to request a copy ofthe victim’s Social Security Personal Earnings andBenefit Estimate Statement. The Statement shouldreveal earnings posted to the victim’s SSN by theidentity thief. If an SSN has been fraudulentlyused, the Internal Revenue Service (IRS)Taxpayer Advocates Office should be contacted.The fraudulent use of an SSN might result in whatappears to be an underreporting of a victim’staxable income and an attempt by the IRS tocollect taxes on the underreported income. TheIRS Taxpayer Advocates Office can be contactedat 1-877-777-4778 or www.treas.gov/irs/ci.

If someone has fraudulently obtained adriver’s license or photographic identificationcard in a victim’s name through an office of aDMV, the local DMV should be contacted and afraud alert should be placed in the license.Likewise, if someone has stolen any otheridentification document, the entity responsible forcreating the document should be contacted andinformed of the theft. If a passport has been lost orstolen, the United States State Department shouldbe contacted at Passport Services, CorrespondenceBranch, 1111 19th Street, NW, Suite 510Washington, DC 20036, orwww.travel.state.gov/passport_services. Ifsomeone has stolen a health insurance card, thetheft should be reported to the insurer. Subsequentinsurance statements should be reviewed forfraudulent billing.

If someone has fraudulently filed forbankruptcy in a victim’s name, the U.S. Trusteeshould be contacted in the region where thebankruptcy was filed. A listing of the U.S.Trustees can be found at www.usdoj.gov/ust. Awritten complaint must be filed describing thesituation and providing proof of the victim’sidentity. The U.S. Trustee, if appropriate, willmake a referral to criminal law enforcementauthorities. The victim should also file acomplaint with the FBI in the city where thebankruptcy was filed.

In rare instances, an identity thief may createa criminal record under a victim’s name byproviding the identity when arrested. Victims ofthis type of problem should contact the FBI andinitiate a request that the victim’s name becleared, and retain an attorney to resolve theproblem as procedures for clearing one’s namemay vary by jurisdiction.

Conclusion

Identity theft was clearly identified as aserious crime two years ago when the IdentityTheft Act was passed. Since that time great strideshave been made to combat the problem, but muchwork remains to be done. Law enforcementagencies at all levels, federal and non-federal,must work together to develop strategies for theinvestigation and prosecution of offenders. At thesame time, the law enforcement community mustwork closely with private industry to developeffective education and prevention programs. Thecrime of the new millennium will not fade awaysoon, nor will passive efforts soften thedevastating impact upon its victims. Yet with hardwork, cooperation, and effective communicationbetween law enforcement and the public, identitythieves will be held accountable in this newmillennium. ò


ABOUT THE AUTHOR

ëSean B. Hoar has been an AUSA since 1991and is the Computer and TelecommunicationsCoordinator (CTC) for the southern half of theDistrict of Oregon. As such, he prosecuted thefirst case in the United States under the NoElectronic Theft Act (NET Act) involvingcriminal copyright infringement on the Internet.He is primarily concerned with developing

partnerships with local, state and federal lawenforcement agencies to prevent, investigate andprosecute cyber crime. Previously he wasprimarily involved in the prosecution oforganizational narcotics traffickers and receivedthe Directors Award for his role in prosecuting aheroin trafficking organization based in SoutheastAsia which included a General in the Royal ThaiArmy who was a member of the SupremeCommand of the Royal Thai Armed Forces. a

Computer Records and the FederalRules of EvidenceOrin S. KerrTrial AttorneyComputer Crime and Intellectual PropertySection

This article explains some of the importantissues that can arise when the government seeksthe admission of computer records under theFederal Rules of Evidence. It is an excerpt of alarger DOJ manual entitled "Searching andSeizing Computers and Obtaining ElectronicEvidence in Criminal Investigations", which isavailable on the internet atwww.cybercrime.gov/searchmanual.htm.

Most federal courts that have evaluated theadmissibility of computer records have focused oncomputer records as potential hearsay. The courtsgenerally have admitted computer records upon ashowing that the records fall within the businessrecords exception, Fed. R. Evid. 803(6):

Records of regularly conducted activity. Amemorandum, report, record, or datacompilation, in any form, of acts, events,conditions, opinions, or diagnoses, made at ornear the time by, or from informationtransmitted by, a person with knowledge, ifkept in the course of a regularly conductedbusiness activity, and if it was the regular

practice of that business activity to make thememorandum, report, record, or datacompilation, all as shown by the testimony ofthe custodian or other qualified witness,unless the source of information or themethod or circumstances of preparationindicate lack of trustworthiness. The term“business” as used in this paragraph includesbusiness, institution, association, profession,occupation, and calling of every kind, whetheror not conducted for profit.

See, e.g., United States v. Cestnik, 36 F.3d 904,909-10 (10th Cir. 1994); United States v. Moore,923 F.2d 910, 914 (1st Cir. 1991); United States v.Briscoe, 896 F.2d 1476, 1494 (7th Cir. 1990);United States v. Catabran, 836 F.2d 453, 457 (9thCir. 1988); Capital Marine Supply v. M/V RolandThomas II, 719 F.2d 104, 106 (5th Cir. 1983).Applying this test, the courts have indicated thatcomputer records generally can be admitted asbusiness records if they were kept pursuant to aroutine procedure for motives that tend to assuretheir accuracy.

However, the federal courts are likely to moveaway from this “one size fits all” approach as theybecome more comfortable and familiar withcomputer records. Like paper records, computerrecords are not monolithic: the evidentiary issuesraised by their admission should depend on what


kind of computer records a proponent seeks tohave admitted. For example, computer recordsthat contain text often can be divided into twocategories: computer-generated records, andrecords that are merely computer-stored. SeePeople v. Holowko, 486 N.E.2d 877, 878-79 (Ill.1985). The difference hinges upon whether aperson or a machine created the records' contents.Computer-stored records refer to documents thatcontain the writings of some person or personsand happen to be in electronic form. E-mailmessages, word processing files, and Internet chatroom messages provide common examples. Aswith any other testimony or documentaryevidence containing human statements, computer-stored records must comply with the hearsay rule.If the records are admitted to prove the truth of thematter they assert, the offeror of the records mustshow circumstances indicating that the humanstatements contained in the record are reliable andtrustworthy, see Advisory Committee Notes toProposed Rule 801 (1972), and the records mustbe authentic.

In contrast, computer-generated recordscontain the output of computer programs,untouched by human hands. Log-in records fromInternet service providers, telephone records, andATM receipts tend to be computer-generatedrecords. Unlike computer-stored records,computer-generated records do not contain human“statements,” but only the output of a computerprogram designed to process input following adefined algorithm. Of course, a computer programcan direct a computer to generate a record thatmimics a human statement: an e-mail program canannounce “You've got mail!” when mail arrives inan inbox, and an ATM receipt can state that $100was deposited in an account at 2:25 pm. However,the fact that a computer, rather than a humanbeing, has created the record alters the evidentiaryissues that the computer-generated recordspresent. See, e.g., 2 J. Strong, McCormick onEvidence § 294, at 286 (4th ed. 1992). Theevidentiary issue is no longer whether a human'sout-of-court statement was truthful and accurate (aquestion of hearsay), but instead whether thecomputer program that generated the record wasfunctioning properly (a question of authenticity).See id.; Richard O. Lempert & Steven A.

Saltzburg, A Modern Approach to Evidence 370(2d ed. 1983); Holowko, 486 N.E.2d at 878-79.

Finally, a third category of computer recordsexists: some computer records are both computer-generated and computer-stored. For example, asuspect in a fraud case might use a spreadsheetprogram to process financial figures relating to thefraudulent scheme. A computer record containingthe output of the program would derive from bothhuman statements (the suspect's input to thespreadsheet program) and computer processing(the mathematical operations of the spreadsheetprogram). Accordingly, the record combines theevidentiary concerns raised by computer-storedand computer-generated records. The partyseeking the admission of the record shouldaddress both the hearsay issues implicated by theoriginal input and the authenticity issues raised bythe computer processing.

As the federal courts develop a more nuancedappreciation of the distinctions to be madebetween different kinds of computer records, theyare likely to see that the admission of computerrecords generally raises two distinct issues. First,the government must establish the authenticity ofall computer records by providing “evidencesufficient to support a finding that the matter inquestion is what its proponent claims.” Fed. R.Evid. 901(a). Second, if the computer records arecomputer-stored records that contain humanstatements, the government must show that thosehuman statements are not inadmissible hearsay.

A. Authentication

Before a party may move for admission of acomputer record or any other evidence, theproponent must show that it is authentic. That is,the government must offer evidence “sufficient tosupport a finding that the [computer record orother evidence] in question is what its proponentclaims.” Fed. R. Evid. 901(a). See United States v.Simpson, 152 F.3d 1241, 1250 (10th Cir. 1998).

The standard for authenticating computerrecords is the same as for authenticating otherrecords. The degree of authentication does notvary simply because a record happens to be (orhas been at one point) in electronic form. SeeUnited States v. DeGeorgia, 420 F.2d 889, 893


n.11 (9th Cir. 1969); United States v. Vela, 673F.2d 86, 90 (5th Cir. 1982). But see United Statesv. Scholle, 553 F.2d 1109, 1125 (8th Cir. 1977)(stating in dicta that “the complex nature ofcomputer storage calls for a more comprehensivefoundation”). For example, witnesses who testifyto the authenticity of computer records need nothave special qualifications. The witness does notneed to have programmed the computer himself,or even need to understand the maintenance andtechnical operation of the computer. SeeUnited States v. Moore, 923 F.2d 910, 915 (1stCir. 1991) (citing cases). Instead, the witnesssimply must have first-hand knowledge of therelevant facts to which he or she testifies. Seegenerally United States v. Whitaker, 127 F.3d595, 601 (7th Cir. 1997) (FBI agent who waspresent when the defendant's computer was seizedcan authenticate seized files) United States v.Miller, 771 F.2d 1219, 1237 (9th Cir. 1985)(telephone company billing supervisor canauthenticate phone company records); Moore, 923F.2d at 915 (head of bank's consumer loandepartment can authenticate computerized loandata).

Challenges to the authenticity of computerrecords often take one of three forms. First, partiesmay challenge the authenticity of both computer-generated and computer-stored records byquestioning whether the records were altered,manipulated, or damaged after they were created.Second, parties may question the authenticity ofcomputer-generated records by challenging thereliability of the computer program that generatedthe records. Third, parties may challenge theauthenticity of computer-stored records byquestioning the identity of their author.

1. Authenticity and the Alteration of ComputerRecords

Computer records can be altered easily, andopposing parties often allege that computerrecords lack authenticity because they have beentampered with or changed after they were created.For example, in United States v. Whitaker, 127F.3d 595, 602 (7th Cir. 1997), the governmentretrieved computer files from the computer of anarcotics dealer named Frost. The files fromFrost's computer included detailed records of

narcotics sales by three aliases: “Me” (Frosthimself, presumably), “Gator” (the nickname ofFrost's co-defendant Whitaker), and “Cruz” (thenickname of another dealer). After thegovernment permitted Frost to help retrieve theevidence from his computer and declined toestablish a formal chain of custody for thecomputer at trial, Whitaker argued that the filesimplicating him through his alias were notproperly authenticated. Whitaker argued that“with a few rapid keystrokes, Frost could haveeasily added Whitaker's alias, 'Gator' to theprintouts in order to finger Whitaker and to appearmore helpful to the government.” Id. at 602.

The courts have responded with considerableskepticism to such unsupported claims thatcomputer records have been altered. Absentspecific evidence that tampering occurred, themere possibility of tampering does not affect theauthenticity of a computer record. See Whitaker,127 F.3d at 602 (declining to disturb trial judge'sruling that computer records were admissiblebecause allegation of tampering was “almost wild-eyed speculation . . . [without] evidence to supportsuch a scenario”); United States v. Bonallo, 858F.2d 1427, 1436 (9th Cir. 1988) (“The fact that itis possible to alter data contained in a computer isplainly insufficient to establishuntrustworthiness.”); United States v. Glasser,773 F.2d 1553, 1559 (11th Cir. 1985) (“Theexistence of an air-tight security system [toprevent tampering] is not, however, a prerequisiteto the admissibility of computer printouts. If sucha prerequisite did exist, it would become virtuallyimpossible to admit computer-generated records;the party opposing admission would have to showonly that a better security system was feasible.”).Id. at 559. This is consistent with the rule used toestablish the authenticity of other evidence suchas narcotics. See United States v. Allen, 106 F.3d695, 700 (6th Cir. 1997) (“Merely raising thepossibility of tampering is insufficient to renderevidence inadmissible.”). Absent specificevidence of tampering, allegations that computerrecords have been altered go to their weight, nottheir admissibility. See Bonallo, 858 F.2d at 1436.

2. Establishing the Reliability of ComputerPrograms


The authenticity of computer-generatedrecords sometimes implicates the reliability of thecomputer programs that create the records. Forexample, a computer-generated record might notbe authentic if the program that creates the recordcontains serious programming errors. If theprogram's output is inaccurate, the record may notbe “what its proponent claims” according to Fed.R. Evid. 901.

Defendants in criminal trials often attempt tochallenge the authenticity of computer-generatedrecords by challenging the reliability of theprograms. See, e.g., United States v. Dioguardi,428 F.2d 1033, 1038 (2d Cir. 1970); United Statesv. Liebert, 519 F.2d 542, 547-48 (3d Cir. 1975).The courts have indicated that the government canovercome this challenge so long as "thegovernment provides sufficient facts to warrant afinding that the records are trustworthy and theopposing party is afforded an opportunity toinquire into the accuracy thereof[.]" United Statesv. Briscoe, 896 F.2d 1476, 1494 (7th Cir. 1990).See also Liebert, 519 F.2d at 547; DeGeorgia, 420F.2d. at 893 n.11. Compare Fed. R. Evid.901(b)(9) (indicating that matters createdaccording to a process or system can beauthenticated with “[e]vidence describing aprocess or system used . . . and showing that theprocess or system produces an accurate result”).In most cases, the reliability of a computerprogram can be established by showing that usersof the program actually do rely on it on a regularbasis, such as in the ordinary course of business.See, e.g., United States v. Moore, 923 F.2d 910,915 (1st Cir. 1991) (“[T]he ordinary businesscircumstances described suggest trustworthiness,. . . at least where absolutely nothing in the recordin any way implies the lack thereof.”)(computerized tax records held by the IRS);Briscoe, 896 F.2d at 1494 (computerizedtelephone records held by Illinois Bell). When thecomputer program is not used on a regular basisand the government cannot establish reliabilitybased on reliance in the ordinary course ofbusiness, the government may need to disclose“what operations the computer had beeninstructed to perform [as well as] the preciseinstruction that had been given” if the opposingparty requests. Dioguardi, 428 F.2d at 1038.

Notably, once a minimum standard oftrustworthiness has been established, questions asto the accuracy of computer records “resultingfrom . . . the operation of the computer program”affect only the weight of the evidence, not itsadmissibility. United States v. Catabran, 836 F.2d453, 458 (9th Cir. 1988).

Prosecutors may note the conceptual overlapbetween establishing the authenticity of acomputer-generated record and establishing thetrustworthiness of a computer record for thebusiness record exception to the hearsay rule. Infact, federal courts that evaluate the authenticityof computer-generated records often assume thatthe records contain hearsay, and then apply thebusiness records exception. See, e.g.,United States v. Linn, 880 F.2d 209, 216 (9th Cir.1989) (applying business records exception totelephone records generated “automatically” by acomputer); United States v. Vela, 673 F.2d 86, 89-90 (5th Cir. 1982) (same). As discussed later inthis article, this analysis is technically incorrect inmany cases: computer records generated entirelyby computers cannot contain hearsay and cannotqualify for the business records exception becausethey do not contain human “statements.” See PartB, infra. As a practical matter, however,prosecutors who lay a foundation to establish acomputer-generated record as a business recordwill also lay the foundation to establish therecord's authenticity. Evidence that a computerprogram is sufficiently trustworthy so that itsresults qualify as business records according toFed. R. Evid. 803(6) also establishes theauthenticity of the record. Compare United Statesv. Saputski, 496 F.2d 140, 142 (9th Cir. 1974).

3. Identifying the Author of Computer-StoredRecords

Although handwritten records may be pennedin a distinctive handwriting style, computer-storedrecords consist of a long string of zeros and onesthat do not necessarily identify their author. Thisis a particular problem with Internetcommunications, which offer their authors anunusual degree of anonymity. For example,Internet technologies permit users to sendeffectively anonymous e-mails, and Internet RelayChat channels permit users to communicate


without disclosing their real names. Whenprosecutors seek the admission of such computer-stored records against a defendant, the defendantmay challenge the authenticity of the record bychallenging the identity of its author.

Circumstantial evidence generally providesthe key to establishing the authorship andauthenticity of a computer record. For example, inUnited States v. Simpson, 152 F.3d 1241 (10thCir. 1998), prosecutors sought to show that thedefendant had conversed with an undercover FBIagent in an Internet chat room devoted to childpornography. The government offered a printoutof an Internet chat conversation between the agentand an individual identified as “Stavron,” andsought to show that “Stavron” was the defendant.The district court admitted the printout inevidence at trial. On appeal following hisconviction, Simpson argued that “because thegovernment could not identify that the statementsattributed to [him] were in his handwriting, hiswriting style, or his voice,” the printout had notbeen authenticated and should have beenexcluded. Id. at 1249.

The Tenth Circuit rejected this argument,noting the considerable circumstantial evidencethat “Stavron” was the defendant. See id. at 1250.For example, “Stavron” had told the undercoveragent that his real name was "B. Simpson," gave ahome address that matched Simpson's, andappeared to be accessing the Internet from anaccount registered to Simpson. Further, the policefound records in Simpson's home that listed thename, address, and phone number that theundercover agent had sent to “Stavron.”Accordingly, the government had providedevidence sufficient to support a finding that thedefendant was “Stavron,” and the printout wasproperly authenticated. See id. at 1250. See alsoUnited States v. Tank, 200 F.3d 627, 630-31 (9thCir. 2000) (concluding that district court properlyadmitted chat room log printouts in circumstancessimilar to those in Simpson). But see United Statesv. Jackson, 208 F.3d 638 (7th Cir. 2000)(concluding that web postings purporting to bestatements made by white supremacist groupswere properly excluded on authentication groundsabsent evidence that the postings were actuallyposted by the groups).

B. Hearsay

Federal courts have often assumed that allcomputer records contain hearsay. A morenuanced view suggests that in fact only a portionof computer records contain hearsay. When acomputer record contains the assertions of aperson, whether or not processed by a computer,the record can contain hearsay. In such cases, thegovernment must fit the record within a hearsayexception such as the business records exception,Fed. R. Evid. 803(6). When a computer recordcontains only computer-generated data untouchedby human hands, however, the record cannotcontain hearsay. In such cases, the governmentmust establish the authenticity of the record, butdoes not need to establish that a hearsay exceptionapplies for the records to be admissible.

1. Inapplicability of the Hearsay Rules toComputer-Generated Records

The hearsay rules exist to prevent unreliableout-of-court statements by human declarants fromimproperly influencing the outcomes of trials.Because people can misinterpret or misrepresenttheir experiences, the hearsay rules express astrong preference for testing human assertions incourt, where the declarant can be placed on thestand and subjected to cross-examination. SeeOhio v. Roberts, 448 U.S. 56, 62-66 (1980). Thisrationale does not apply when an animal or amachine makes an assertion: beeping machinesand barking dogs cannot be called to the witnessstand for cross-examination at trial. The FederalRules have adopted this logic. By definition, anassertion cannot contain hearsay if it was notmade by a human being. Can we just use the wordperson? See Fed. R. Evid. 801(a) (“A 'statement' is(1) an oral or written assertion or (2) nonverbalconduct of a person, if it is intended by the personas an assertion.”) (emphasis added) ; Fed. R. Evid.801(b) (“A declarant is a person who makes astatement.”) (emphasis added).

As several courts and commentators havenoted, this limitation on the hearsay rulesnecessarily means that computer-generatedrecords untouched by human hands cannot containhearsay. One state supreme court articulated thedistinction in an early case involving the use ofautomated telephone records:


The printout of the results of the computer’sinternal operations is not hearsay evidence. Itdoes not represent the output of statementsplaced into the computer by out of courtdeclarants. Nor can we say that this printoutitself is a “statement” constituting hearsayevidence. The underlying rationale of thehearsay rule is that such statements are madewithout an oath and their truth cannot betested by cross-examination. Of concern is thepossibility that a witness may consciously orunconsciously misrepresent what the declaranttold him or that the declarant may consciouslyor unconsciously misrepresent a fact oroccurrence. With a machine, however, there isno possibility of a consciousmisrepresentation, and the possibility ofinaccurate or misleading data onlymaterializes if the machine is not functioningproperly.

State v. Armstead, 432 So.2d 837, 840 (La. 1983).See also People v. Holowko, 486 N.E.2d 877,878-79 (Ill. 1985) (automated trap and tracerecords); United States v. Duncan, 30 M.J. 1284,1287-89 (N-M.C.M.R. 1990) (computerizedrecords of ATM transactions); 2 J. Strong,McCormick on Evidence § 294, at 286 (4thed.1992); Richard O. Lempert & Stephen A.Saltzburg, A Modern Approach to Evidence 370(2d ed. 1983). Cf. United States v. Fernandez-Roque, 703 F.2d 808, 812 n.2 (5th Cir. 1983)(rejecting hearsay objection to admission ofautomated telephone records because “the factthat these calls occurred is not a hearsaystatement.”). Accordingly, a properlyauthenticated computer-generated record isadmissible. See Lempert & Saltzburg, at 370.

The insight that computer-generated recordscannot contain hearsay is important becausecourts that assume the existence of hearsay maywrongfully exclude computer-generated evidenceif a hearsay exception does not apply. Forexample, in United States v. Blackburn, 992 F.2d666 (7th Cir. 1993), a bank robber left hiseyeglasses behind in an abandoned stolen car. Theprosecution's evidence against the defendantincluded a computer printout from a machine thattests the curvature of eyeglass lenses. The printoutrevealed that the prescription of the eyeglasses

found in the stolen car exactly matched thedefendant's. At trial, the district court assumedthat the computer printout was hearsay, butconcluded that the printout was an admissiblebusiness record according to Fed. R. Evid. 803(6).On appeal following conviction, the SeventhCircuit also assumed that the printout containedhearsay, but agreed with the defendant that theprintout could not be admitted as a businessrecord:

the [computer-generated] report in this casewas not kept in the course of a regularlyconducted business activity, but rather wasspecially prepared at the behest of the FBI andwith the knowledge that any information itsupplied would be used in an ongoingcriminal investigation. . . . In finding thisreport inadmissible under Rule 803(6), weadhere to the well-established rule thatdocuments made in anticipation of litigationare inadmissible under the business recordsexception.

Id. at 670. See also Fed. R. Evid. 803(6) (statingthat business records must be “made . . . by, ortransmitted by, a person”).

Fortunately, the Blackburn court ultimatelyaffirmed the conviction, concluding that thecomputer printout was sufficiently reliable that itcould have been admitted under the residualhearsay exception, Rule 803(24). See id. at 672.However, instead of flirting with the idea ofexcluding the printouts because Rule 803(6) didnot apply, the court should have asked whetherthe computer printout from the lens-testingmachine contained hearsay at all. This questionwould have revealed that the computer-generatedprintout could not be excluded on hearsay groundsbecause it contained no human “statements.”

2. Applicability of the Hearsay Rules toComputer-Stored Records

Computer-stored records that contain humanstatements must satisfy an exception to thehearsay rule if they are offered for the truth of thematter asserted. Before a court will admit therecords, the court must establish that thestatements contained in the record were made incircumstances that tend to ensure their


trustworthiness. See, e.g., Jackson, 208 F.3d at637 (concluding that postings from the websitesof white supremacist groups contained hearsay,and rejecting the argument that the postings werethe business records of the ISPs that hosted thesites).

As discussed earlier in this article, courtsgenerally permit computer-stored records to beadmitted as business records according to Fed. R.Evid. 803(6). Different circuits have articulatedslightly different standards for the admissibility ofcomputer-stored business records. Some courtssimply apply the direct language of Fed. R. Evid.803(6). See e.g.,United States v. Moore, 923 F.2d910, 914 (1st Cir. 1991); United States v.Catabran, 836 F.2d 453, 457 (9th Cir. 1988).Other circuits have articulated doctrinal testsspecifically for computer records that largely (butnot exactly) track the requirements of Rule803(6). See, e.g., United States v. Cestnik, 36 F.3d904, 909-10 (10th Cir. 1994) (“Computer businessrecords are admissible if (1) they are keptpursuant to a routine procedure designed to assuretheir accuracy; (2) they are created for motivesthat tend to assure accuracy (e.g., not includingthose prepared for litigation); and (3) they are notthemselves mere accumulations of hearsay.”)(quoting Capital Marine Supply v. M/V RolandThomas II, 719 F.2d 104, 106 (5th Cir. 1983));United States v. Briscoe, 896 F.2d 1476, 1494(7th Cir. 1990) (computer-stored records areadmissible business records if they “are kept inthe course of regularly conducted businessactivity, and [that it] was the regular practice ofthat business activity to make records, as shownby the testimony of the custodian or otherqualified witness.”) (quoting United States v.Chappell, 698 F.2d 308, 311 (7th Cir. 1983)).Notably, the printout itself may be produced inanticipation of litigation without running afoul ofthe business records exception. The requirementthat the record be kept “in the course of aregularly conducted business activity” refers tothe underlying data, not the actual printout of thatdata. See United States v. Sanders, 749 F.2d 195,198 (5th Cir. 1984).

From a practical perspective, the procedurefor admitting a computer-stored record pursuant tothe business records exception is the same as

admitting any other business record. Consider ane-mail harassment case. To help establish that thedefendant was the sender of the harassingmessages, the prosecution may seek theintroduction of records from the sender’s ISPshowing that the defendant was the registeredowner of the account from which the e-mails weresent. Ordinarily, this will require testimony froman employee of the ISP (“the custodian or otherqualified witness”) that the ISP regularlymaintains customer account records for billingand other purposes, and that the records to beoffered for admission are such records that weremade at or near the time of the events theydescribe in the regular course of the ISP’sbusiness. Again, the key is establishing that thecomputer system from which the record wasobtained is maintained in the ordinary course ofbusiness, and that it is a regular practice of thebusiness to rely upon those records for theiraccuracy.

The business record exception is the mostcommon hearsay exception applied to computerrecords. Of course, other hearsay exceptions maybe applicable in appropriate cases. See, e.g.,Hughes v. United States, 953 F.2d 531, 540 (9thCir. 1992) (concluding that computerized IRSforms are admissible as public records under Fed.R. Evid. 803(8)).

C. Other Issues

The authentication requirement and thehearsay rule usually provide the most significanthurdles that prosecutors will encounter whenseeking the admission of computer records.However, some agents and prosecutors haveoccasionally considered two additional issues: theapplication of the best evidence rule to computerrecords, and whether computer printouts are“summaries” that must comply with Fed. R. Evid.1006.

1. The Best Evidence Rule

The best evidence rule states that to prove thecontent of a writing, recording, or photograph, the“original” writing, recording, or photograph isordinarily required. See Fed. R. Evid. 1002.Agents and prosecutors occasionally expressconcern that a mere printout of a computer-stored


electronic file may not be an “original” for thepurpose of the best evidence rule. After all, theoriginal file is merely a collection of 0's and 1's. Incontrast, the printout is the result of manipulatingthe file through a complicated series of electronicand mechanical processes.

Fortunately, the Federal Rules of Evidencehave expressly addressed this concern. TheFederal Rules state that

[i]f data are stored in a computer or similardevice, any printout or other output readableby sight, shown to reflect the data accurately,is an “original”.

Fed. R. Evid. 1001(3). Thus, an accurate printoutof computer data always satisfies the bestevidence rule. See Doe v. United States, 805 F.Supp. 1513, 1517 (D. Hawaii. 1992). Accordingto the Advisory Committee Notes thataccompanied this rule when it was first proposed,this standard was adopted for reasons ofpracticality. While strictly speaking the original ofa photograph might be thought to be only the

negative, practicality and common usage requirethat any print from the negative be regarded as anoriginal. Similarly, practicality and usage conferthe status of original upon any computer printout.Advisory Committee Notes, Proposed FederalRule of Evidence 1001(3) (1972).

2. Computer Printouts as “Summaries”

Federal Rule of Evidence 1006 permits partiesto offer summaries of voluminous evidence in theform of “a chart, summary, or calculation” subjectto certain restrictions. Agents and prosecutorsoccasionally ask whether a computer printout isnecessarily a “summary” of evidence that mustcomply with Fed. R. Evid. 1006. In general, theanswer is no. See Sanders, 749 F.2d at 199;Catabran, 836 F.2d at 456-57; United States v.Russo, 480 F.2d 1228, 1240-41 (6th Cir. 1973).Of course, if the computer printout is merely asummary of other admissible evidence, Rule 1006will apply just as it does to other summaries ofevidence. òABOUT THE AUTHOR

ëOrin S. Kerr is a Trial Attorney, ComputerCrime and Intellectual Property Section, CriminalDivision, United States Department of Justice.a


Gambling Against Enforcement —Internet Sports Books and the WireWager ActJoseph V. DeMarcoAssistant United States AttorneySouthern District of New York

I. Introduction

Even as a certain "Madness" crowds networkairwaves during the month of March, and asAmericans gamble in various forms in ever-increasing numbers, gambling on sporting eventsis strictly regulated and, in most cases, prohibitedoutright under federal and state law.Notwithstanding these general prohibitions,however, the exponential growth in the use of theInternet by the mass public has been accompaniedby a corresponding growth in the creation ofInternet websites which offer Americans theability to gamble on-line without the need for aneighborhood bookie. From on-line privatelotteries, to on-line card games, "quiz shows," andtraditional sports books, these websites offerprivacy and anonymity to both the owners of thesites and their "clients" while, paradoxically,offering a perceived aura of legitimacy thatderives from the fact that anyone can "sign on" toand use them as freely as any legitimate e-commerce site.

This article examines one form of gamblingwebsite — the Internet sports book — and theapplication of the Wire Wager Act, 18 U.S.C.§ 1084, to enforcement operations directed againstthe operators of those websites. It willdemonstrate that, notwithstanding the novel formthat they take, these web-based books arefundamentally no different than bookmakingoperations run by traditional "pay phone" bookies,and that there is no reason why the Wire WagerAct should not apply to such high-tech Internetbookies. The article will also examine whyrecurring arguments that seek to precludeapplication of the Wire Wager Act to Internet

bookmakers — many of which can be, and oftenare, made in defense to prosecution of crimescommitted via the Internet under other federalstatutes — are unpersuasive.

II. The Rise Of The Internet Sports book

In the last several years, dozens of Internetsports books have sprung into existence. Many arelocated offshore, in Central American countries oron Carribean island nations where theirbookmaking activities are not illegal. Notably,however, these sports books are frequently run byAmericans and direct their activities to bettors inAmerica interested in gambling on Americansporting events such as baseball, football, andbasketball. Typically, the books accept bets onlyin U.S. currency, and further require that allwagering be done from pre-funded betting"accounts." Toward this end, their websitesprovide instructions to bettors on how to wiretransfer money to the sports books. Manyadvertise in U.S. magazines especially devoted tosports fans, in college newspapers, or on websitesdevoted to gambling generally or sports betting inparticular. Indeed, some sports books'advertisements have represented that theiroperations are legal, and have sought to reassurebettors that they can be trusted because they holdlicenses from, and are regulated by, their hostcountries. While some sports books operateentirely through Internet transmissions, otherspublish toll-free telephone numbers on theirwebsites or in advertisements so that bettors can,if they choose, call and place wagers with a liveoperator. Notably, although many Internetsportsbooks purport to accept wagers only frompersons having the legal capacity to gamble, thefact that most permit betting to be doneanonymously or through pseudonyms precludesmeaningful control of gambling by minors, much


less by persons who are intoxicated, or by personswith gambling addictions.

While precise data regarding the scale ofillegal activities is obviously difficult to obtain,illegal Internet sports gambling by Americans wasestimated by Sports Illustrated in 1998 to exceed$600 million, with a ten-fold increase predicted by2001. Indeed, in a recent trial of a sports bookoperator brought in the Southern District of NewYork involving an Antigua-based Internet sportsbook, the evidence established that over thecourse of one fifteen month period (when thebusiness was just getting off the ground),Americans wire-transferred in excess of $4.8million to the sports book in order to wager, andthat the sports book was already sizeable (andprofitable) enough to accept a $10,000 wager onthe outcome of a single football game.United States v. Jay Cohen, No. 98 Cr. 434(S.D.N.Y. 1998)

III. The Statute

A. Section 1084(a)

Known colloquially as the "Wire Wager Act,"Title 18, United States Code, Section 1084(a)provides that:

Whoever being engaged in the business ofbetting or wagering knowingly uses a wirecommunication facility for the transmission ininterstate or foreign commerce of bets orwagers, or information assisting in theplacement of bets or wagers on any sportingevent or contest, or for the transmission of awire communication which entitles therecipient to receive money or credit as a resultof bets or wagers, or for information assistingin the placing of bets or wagers, shall be finedunder this title or imprisoned not more thantwo years or both.

The purpose of the statute is two-fold:

(1)to assist the various States and the Districtof Columbia in the enforcement of their lawspertaining to gambling, bookmaking, and likeoffenses and [(2)] to aid in the suppression oforganized gambling activities by prohibitingthe use of wire communication facilitieswhich are or will be used for the transmission

of bets or wagers and gambling information ininterstate and foreign commerce.

United States v. McDonough, 835 F.2d 1103,1105 n.7 (5th Cir. 1988) (quoting legislativehistory). Section 1084, which was enacted in 1961as part of a series of anti-racketeering laws,compliments other federal anti-bookmakingstatutes. See e.g., 18 U.S.C. § 1952 (interstatetravel in aid of racketeering enterprises (includingenterprises involving gambling)), 18 U.S.C.§ 1953 (interstate transportation of wageringparaphernalia), and 18 U.S.C. § 1955 (prohibitingoperation of illegal gambling businesses).

In order to establish a violation of Section1084(a), the government must prove four things:

First, that the defendant was engaged in thebusiness of betting or wagering — in other words,that unlike a casual bettor, he or she derived all ormuch of his income from the business ofgambling. Thus, the statute typically has beenenforced against bookmakers and those that workfor bookmakers in connection with taking bets orwagers on sporting events or contests.

Second, that the defendant transmitted, ininterstate or foreign commerce, any one of thefollowing types of material: (a) bets or wagers; (b)information assisting in the placement of bets orwagers; or (c) a communication that entitled therecipient to receive money or credit as a result ofthe bet or wager.

Third, that the defendant used a "wirecommunication facility" to transmit thesematerials. A "wire communication facility" isdefined in Section 1081 as:

any and all instrumentalities, personnel,services (among other things, the receipt,forwarding, or delivery of communications)used or useful in the transmission of writings,signs, pictures, and sounds of all kind by aidof wire, cable, or other like connectionbetween the points of origin and reception ofsuch transmission.

Fourth, that the defendant acted "knowingly."Under prevailing caselaw, the defendant need notbe shown to have known that he or she wasviolating the law. All that must be shown is that


he or she knowingly, and not by accident ormistake, used a wire communications facility toengage in any one of the three prohibited forms oftransmissions described.

B. Section 1084(b)'s Safe Harbor

Subsection (b) of Section 1084 provides twonarrow exceptions to the prohibition imposed bySection 1084(a) on the foreign or interstatetransmission of material in furtherance of a sportsbetting business. Subsection (b) provides that:

Nothing contained in this section shall beconstrued to prevent the transmission ininterstate or foreign commerce of information[(1)] for use in news reporting of sportingevents or contests, or [(2)] for thetransmission of information assisting in theplacing of bets and wagers on a sporting eventor contest from a State or foreign countrywhere betting on that sporting event or contestis legal into a State or foreign country inwhich such betting is legal.

The first exemption was designed to permit "bonafide news reporting of sporting events orcontests." H.R. Rep. No. 967, 87th Cong., 1st.Sess. (1961), reprinted in 1961 U.S.C.C.A.N.2631, 2632. The second exception — under whichInternet sports book operators frequently seekprotection — was created for the discrete purposeof permitting the transmission of informationrelating to betting on particular sports where suchbetting was legal in both the state from which theinformation was sent and the state in which it wasreceived. See, e.g., Sterling Suffolk RacecourseLtd. v. Burrillville Racing Ass'n, 989 F.2d 1266,1272-73 (1st Cir. 1993) (noting that "[t]helegislative history of section 1084 shows beyondperadventure that Congress enacted section1084(b) for the express purpose of allowing off-track betting in venues where states chose tolegalize such activity"). To fall within this aspectof the safe harbor two things must be established:(1) that only "information" was transmitted, and(2) that it was "legal" under the laws of therelevant states to place a bet on that sporting eventin the jurisdiction from which the information wassent as well as the jurisdiction in which theinformation was received.

As the House Report which accompanied theintroduction of Section 1084 explained, thesecond exemption was intended to permit "thetransmission of gambling information on ahorserace from a State where betting on thathorserace is legal to a State where betting on thatsame horserace is legal." H.R. Rep. No. 967, 87thCong., 1st. Sess. (1961), reprinted in 1961U.S.C.C.A.N. 2631, 2632. Thus, Congress did notwant to criminalize the transmission ofinformation relating to horse races in New York tobettors in Nevada. See id. at 2632-33. Theinformation, however, could not legally flow theother way. Because it was illegal under New Yorklaw to place a bet in New York on a horse raceheld in Nevada, this form of transmission felloutside the exemption contained in Section1084(b). See id. at 2632.

It is important to remember, however, that theexemption only applies to "information assistingin the placing of bets and wagers on a sportingevent or contest," and not to the other twocategories of material to which Section 1084(a)applies: the "bets or wagers" themselves, or"communications which entitle the recipients toreceive money or credit as a result of bets orwagers." 18 U.S.C. § 1084. See McDonough, 835F.2d at 1105 ("'[n]othing in the exemption . . . willpermit the transmission of bets and wagers . . .from or to any State, whether betting is legal inthat State or not.'") (quoting legislative history).

IV. Defenses Raised To Enforcement And WhyThey Fail

Against the backdrop of a clearly newtechnology — the Internet — and a lawconcededly passed at a time when the Internet didnot exist, a number of offshore Internet sportsbook operators charged under Section 1084(a)have claimed that the statute does not criminalizetheir bookmaking activities. Challengingprosecutions that have been brought in severaldistricts, they have asserted numerous defenseswhich, while having superficial appeal, ultimatelyfail to withstand scrutiny. These argumentsinclude the following:


A. Lack of Extraterritorial Jurisdiction

A number of sports book operators haveargued that they are immune because theirconduct occurs entirely offshore. Arguing thattheir offices and employees as well as thecomputer servers that host their websites andrecord the bets are all physically located in othercountries, defendants have claimed that whenAmericans access their websites, they make a"virtual visit" to the foreign country. Since sportsbetting is legal there, the argument continues, theInternet sports book is no more illegal than acasino in Nevada which caters to traditionalvisitors. Indeed, the sports books have argued,their operations are not subject to the regulation ofany state or nation because everything occurs in"cyberspace."

While many of these sports books websitesare hosted from computers based offshore(although some only purport to be), the notion thata person "travels" to these foreign nations bycommunicating with computers there is aspersuasive as the notion that a person who picksup a telephone and dials a friend in Londonshould first put on a raincoat. Section 1084(a) byits terms regulates transmissions in "interstate andforeign commerce," evidencing Congress' desirethat the statute apply to conduct which occursoutside the United States but causes effects withinthe United States. After soliciting bets fromAmericans and inviting Americans to send themmoney, the notion that everything has happened"in cyberspace" and not the United States issimilarly inaccurate. Tellingly, the idea of"cyberspace" as a discrete physical place comesfrom a science fiction novel. See William Gibson,Neuromancer 51 (1985).

Indeed, as one court colorfully stated inrejecting arguments by a lottery operator inMexico who solicited bets from Texans:

If pistol or poison takes intended criminaleffect from Mexico in the United States, theUnited States may punish it if it can catch thecriminals. The effect in the United States ofthe act done in Mexico draws to it jurisdictionto punish those who are responsible for it. Itmay properly be alleged as done in theUnited States. These mailed lottery receipts

and checks are like bullets that hit their mark.. . . Jurisdiction exists from the standpoint ofinternational law.

Horowitz v. United States, 63 F.2d 706, 709 (5thCir. 1933). Accordingly, the use of the Internet,even from offshore locations, should not defeatapplication of Section 1084.

B. Legal in Host Country

A number of defendants have also argued thattheir conduct is expressly lawful under the laws oftheir host countries. Indeed, several point out, theyare required to be licenced by their hostgovernments, and can obtain licences only afterallegedly undergoing rigorous screening byregulators in their host countries. Under suchcircumstances, it is claimed, enforcement ofSection 1084(a) is improper. This argument alsomisses the point, for whether particular conduct isviolative of foreign law is not determinative ofwhether it is violative of United States law. TheSupreme Court has noted that even conductexpressly encouraged by foreign governmentsmay violate United States law. See Hartford FireIns. Co. v. California, 509 U.S. 764, 795 (1993)("the fact that conduct is lawful in the state inwhich it took place will not, itself, bar applicationof the United States antitrust laws, even where theforeign state has a strong policy to permit orencourage such conduct"). Moreover, sinceignorance of law is no defense to a Section1084(a) prosecution, reliance on the legality ofconduct under foreign law should be similarlyirrelevant. In sum, issues of foreign law have noplace in a Section 1084(a) case, and prosecutorsbringing such cases would do well to submit an inlimine motion precluding resort to such a defenseat the earliest hint that it may be asserted.

C. No "Transmission"

A number of defendants have argued thatbecause Section 1084(a)'s reference to precludedtransmissions applies only to communicationsinitiated by the sports book, Internet sports booksdo not engage in prohibited transmissions sincethey merely make their websites available forviewing by the bettors, who take a "snapshot" ofwhat is on the computer server hosting thewebsite. This argument is also invalid because it


ignores the fundamental technology of how theInternet is used to access computer websites.Simply put, that access involves a continualstream of two-way data transfers between thecomputers which support the website and thecomputer used by the person viewing the site. SeeMinnesota v. Granite Gate Resorts, 1996 WL767431, at *9 (D. Minn. Dec. 11, 1996) (notingthat if Internet sports book "did not send anelectronic transmission back to the [Minnesota]computer user, the computer user would seenothing. He or she would see a blank screen.")

Additionally, every circuit to have consideredthe issue, save one, has held that "transmission" asused in Section 1084(a) involves both the sendingand the receipt of communications by the bettor.The one Circuit to hold otherwise, United States v.Stonehouse, 452 F.2d 455, 456 (7th Cir. 1971),involved a defendant's receipt of a western Unionwire ticker — a form of communicationintrinsically limited to one-way communicationsof data.

D. No "Bets or Wagers" Transmitted

Another common argument raised by Internetsports book operators is that their system ofwagering, which requires betting from pre-fundedwagering accounts and not on credit, somehowdistinguishes their operations from the operationof traditional bookies who operate on credit.According to this argument, instructions to wagera specific amount of money on the outcome of aspecific game constitute merely "informationassisting in the placement of bets," with thetransmission of the bets themselves being doneentirely in the foreign nation by employees of thebookmaker acting as "agents" for the bettor.Because it is not a crime under the laws of manyStates to place a sports bet with a bookie, thisargument posits that both requirements of Section1084(b)'s safe harbor are therefore met when aperson in a state where betting is not a crimewagers money from a pre-funded account with abookmaker in a foreign nation where betting islegal. Of course, some state statutes do permit off-track horse wagering, and authorize suchwagering based on the distinction betweenwagering on credit and wagering from pre-fundedaccounts (so-called "account wagering"). The

problem for sports book operators who make thisargument, however, is that Section 1084 makes nosuch distinction. Rather, Section 1084(a) prohibitsthe transmission of bets and wagers regardless ofhow the bookie and bettor structure their financialrelationship. See United States v. Ross, 1999 WL782749 (S.D.N.Y. Sep. 16, 1999), at *7. It wouldbe absurd to think that Congress meant to make anentire class of transaction otherwise criminalizedby Section 1084(a) dependent upon whether abookie operated on credit or required cash-up-front from the bettor. See id.

In sum, while the statute specifically does notdefine what constitutes a "bet" or "wager," thatlack of definition only means that a court shoulduse the common and ordinary meaning of theterm. The only reported case to do so has, notsurprisingly, held that a bet or wager istransmitted when a person picks up a telephone(or accesses a computer connected to the Internet)and stakes a specific sum of money on theoutcome of a specific sporting event. See Ross,1999 WL 782749, at *5-7.

E. Betting is Legal in State in Question

Finally, seizing upon the fact that some statesdo not make it a crime for a bettor to place asports bet, a number of sports book operators haveattempted to satisfy this requirement of theSection 1084(b) safe harbor by arguing that theonly betting that does not qualify for the safeharbor is betting that is made criminal under statelaw. This argument also should be unavailing, forwhile it is true that placing a bet (without more)may not be a crime under state law, many statesstill prohibit such betting. See, e.g., N.Y. Const.Art. I, § 9 (prohibiting all betting not specificallyauthorized by the legislature); N.Y. Gen. Oblig.Law § 5-401 (all betting not expressly authorizedby the legislature made "unlawful"). Once again,common sense understanding of the terms used inthe statute should apply, and betting does notbecome "legal" simply because it is not madecriminal.

V. Conclusion

Many of the challenges to Section 1084(a)prosecutions will likely be, or at least should be, resolved prior to trial. Consideration beforehand


of those issues that frequently arise as defenses toprosecutions of Internet sports books will equip aprosecutor to explain to a court and, ultimately, toa jury, why the novelty of the medium does nottranslate into lack of enforceability.ò

ABOUT THE AUTHOR

ëJoseph V. DeMarco has been an AssistantUnited States Attorney in the Southern District ofNew York since 1997, where he serves asComputer and Telecommunications CrimesCoordinator. Currently, he is on detail to theDepartment's Computer Crime and IntellectualProperty Section (CCIPS).a

Working with Victims of ComputerNetwork HacksRichard P. SalgadoTrial AttorneyComputer Crime and IntellectualProperty Section

In our ten years’ experience in detecting,locating, and prosecuting network intruders(hackers) we have seen that, as with many offlinecrimes, robust law enforcement alone cannot solvethe network intruder problem. To be effective, anyoverall strategy must include the owners andoperators of the nation’s computer networks. Theyare the first line of defense and have theresponsibility to take reasonable measures toensure that their systems are secure. They are alsoin the best position to detect intrusions and takethe first critical steps to respond. At the most basiclevel, we rely on network operators to report to uswhen their systems are hacked. Intrusion victims,however, are often even more reluctant to call lawenforcement than other business victims. Thisreluctance has been reflected in the surveysconducted jointly by the Computer SecurityInstitute and the FBI. In the year 2000 survey, forexample, only 25% of the respondents whoexperienced computer intrusions reported theincidents to law enforcement. To betterunderstand why and to learn how we can promotereporting, the Department of Justice hasundertaken a concerted effort to reach out to theoperators of our nation’s computer networks.

As part of this effort, the Department, throughthe Computer Crime and Intellectual PropertySection, has participated with the InformationTechnology Association of America in severalindustry-government summits this past year. Thefirst two summits (held in Palo Alto, California,and Herndon, Virginia, respectively) werenational in scope. Several regional summitsfollowed, with more in the planning. Thediscussions in the summits concentrated on howlaw enforcement and victims of computerintrusions could work better together. Althoughseveral larger themes common to all the summitsbecame apparent, one theme of particular concernwas that private victims of computer networkintrusions are reluctant to report the crimes to lawenforcement.

The reluctance of intrusion victims to reportposes a significant problem to the development ofnetworked computers generally, and the Internetin particular. Although, upon finding a hacker inhis or her system, a system administrator may becontent to close the intruder’s account and fix thevulnerability (essentially kicking the hacker outand locking the door), this provides little truesecurity. Not only is the hacker free to try theexploit on another company’s network, the hackermay have left behind back doors through which heor she can return to the computer undetected. Inaddition, through the hacker community, othersmay learn of the exploit and, emboldened by the


lack of any law enforcement response, join incompromising computer systems. It is folly tobelieve that any particular hacker is motivated bythe desire to show-off computing prowess with noreal intent to damage, steal, or defraud. What mayappear to be a simple hack with no real risk ofdamage can, in fact, be a part of a larger schemeto launch a very destructive attack against otherhighly sensitive machines. Intruders maycompromise many systems, collecting them likebaseball cards. Some hackers use the “stolen”computers to launch attacks against othercomputers, shutting down the next victim, takinginformation from the systems, and using the stolendata in extortion schemes, or to engage ininnumerable other types of illegal conduct. Witheach compromise, the security of our nation’snetworks diminishes. Without reporting byvictims, law enforcement cannot provide aneffective and appropriate response.

Myths and Misunderstandings

During the summits, some of the industryparticipants claimed a wide variety of reasons forthe reluctance to report hacks. The perception onthe part of some businesses is that there is littleupside to reporting network intrusions. Theperceived rationale for not reporting an intrusioninclude the following:

! The victim company does not know whichlaw enforcement entity to call. Surely, thevictim reasons, the local or state police willnot be able to comprehend the crime and theFBI and Secret Service would have no interestin my system.

! If the victim company does report theintrusion to an appropriate agency, lawenforcement will not act. Instead, the fact ofthe intrusion will become public knowledge,irreparably shaking investor confidence anddriving current and potential customers tocompetitors who elect not to report intrusions.

! If law enforcement does act on the report andconducts an investigation, law enforcementwill not find the intruder. In the process,however, the company will lose control of theinvestigation. Law enforcement agents willseize critical data, and perhaps entire

computers, damage equipment and files,compromise private information belonging tocustomers and vendors, and seriouslyjeopardize the normal operations of thecompany. Only competitors will benefit ascustomers flee and stock value drops.

! If law enforcement finds the intruder, theintruder likely will be a juvenile, reside in aforeign country, or both, and the prosecutorwill decline or be unable to pursue the case.

! If the intruder is not a minor, the prosecutorwill conclude that the amount of damageinflicted by the intruder is too small to justifyprosecution.

! If law enforcement successfully prosecutesthe intruder, the intruder will receiveprobation or at most insignificant jail time,only to use his or her hacker experience tofind fame and a lucrative job in networksecurity.

As formidable as the list of excuses mayappear, these deterrents to reporting can beovercome by better-informed computer networkowners and operators, and skillful investigatoryand prosecutorial practice. Further, the riskpresented by failing to report intrusions istremendous. For the foreseeable future, ournation’s networks are only going to get morecomplex, more interconnected and thus morevulnerable to intrusions. Networks are also goingto be more important to our private lives, thenation’s defense, and our world’s economy. Ifthere was a single clear mandate from thesummits, it was that we must get the word outexplaining why victims should report intrusions.

The Case for Reporting

Law enforcement needs to debunk the mythsthat have developed about the dangers ofreporting intrusions and to sharpen ourinvestigatory and prosecutorial practices. We alsoneed to make an affirmative case for reporting tolarge network computer operators, focusing on thevalue to the company of reporting. In the courseof the summits, it became clear that the messageto operators and owners of computer networks isbest delivered before a crises arises, when


relationships can be built without the pressure ofan ongoing investigation.

Debunking the Myths and Explaining theBasics

Perhaps the most basic piece of information toconvey to victims concerns to whom the victimshould report. Law enforcement agencies at alllevels have developed some familiarity withcomputer crime investigations in the recent years,and if they are not equipped to handle complexcomputer intrusion cases, they are at least able topromptly refer reports to agencies that are. Weneed to ensure that large computer networkoperators know the law enforcement agencies intheir area that have the necessary forensic andprosecutorial expertise and resources. Victimsalso need to understand that law enforcement doesview intrusions as important and will respondappropriately.

Publicity that may follow reporting was also aconcern that pervaded the summits. As a rule,agents and prosecutors need to ensure that theyhandle business information with a great deal ofdiscretion. Similarly, law enforcement has to besensitive to victims’ concerns arising from theseizure of data from internal corporate networks.Most of the industry participants in the summitsthought that law enforcement investigators wouldremove the servers, proceed without any victiminput, that it would disrupt the normal operationsof the company for weeks at a time, and that lawenforcement’s involvement would mean that thecompany could not take steps to secure the systemor conduct its own investigation. Contrary to thisbelief, many investigations actually require inputfrom the victim’s system operator for technicaloperations. Communication with potential victimsprior to any investigation would likely go a longway to address these concerns. Similarly, duringinvestigations, law enforcement can work with thevictims to ensure that the investigation remainsconfidential.

Certainly every investigation poses its ownunique challenges, and there is no way to predict,with certainty, how any particular investigationwill proceed. We have seen, and undoubtedly willsee again, instances where a victim wants to takemeasures that are in conflict with the investigative

strategy. For example, where there is a series ofintrusions into a victim’s network, the victim maywant to shut the intruder out of the system andpatch the vulnerability. Law enforcement mayprefer that the company leave the system open sothat the hacker will not know he or she has beendetected, and the agents can monitor the hacker’sactivity and track the hacker’s origins. If there is acooperative and trusting relationship between lawenforcement and the victim that predates theintrusion, the agents and the company are morelikely to find a resolution that works for both. Inthis example, the agents and system operator maybe able to configure the network such that it issecure against future exploits, but appears to thehacker to remain open. Law enforcement can bothprotect the victim and pursue the intruder.

Many of the industry representativesexpressed doubt about the ability of lawenforcement to find the culprits. Certainly,tracking intruders is a very challenging task for avariety of reasons. Industry representatives readilyacknowledged, however, that intruders will not becaught if the victim does not report. In any event,law enforcement has become much moresophisticated at tracking communications inrecent years and even juvenile intruders are notimmune from prosecution. Even if the juvenile isoutside the United States, many foreign countrieshave been willing to prosecute.

Highlighting the Value of Reporting

There are also business reasons for companiesto report intrusions cases. The two primary valuesto victims in calling law enforcement come fromthe deterrence that prosecution provides andpotential restitution to the victim.

Specific deterrence is perhaps one of the mostcompelling reasons for a company to report anintrusion. When law enforcement catches andsuccessfully prosecutes an intruder, that intruderis deterred from future assaults on the victim. Thisis a result that no technical fix to the network canduplicate with the same effectiveness. Intrusionvictims may try to block out an intruder by fixingthe exploited vulnerability, only to find that theintruder has built in a back door and is able toaccess the system at will. There have beeninstances in which a system operator, believing he


or she is locking the intruder out for good,expends a great deal of time and effort tocompletely rebuild the network using backupmedia, only to find that the exploit was present inthe backup and was simply reintroduced. Ofcourse, a victim could initiate its owninvestigation to find the intruder. If successful, thevictim may be able to initiate a civil suit fordamages. In many (if not most) cases, however,the victim is at a substantial disadvantage relativeto law enforcement in this effort. Lawenforcement is able to obtain wiretap, pen/trapand trace orders, enforceable data preservationrequests and other criminal process unavailable toa private party. Further, a monetary award isunlikely to serve as the same deterrent as a jailsentence or even probation. The generaldeterrence that criminal law enforcement providesalso benefits victims and potential victims in thelong run.

Restitution is also an attractive motive forvictim reporting. Being a victim of intrusion isalmost always an expensive proposition. Aresponsible victim must survey the system todetermine whether any data was taken ordamaged, and if so must repair the damage. Thevictim must analyze the network to determine ifthere are any remaining holes in the system, checkthe integrity of the logs, identify the means bywhich the intruder accessed the system, and patchthe vulnerability. The costs can be very high, andcan grow when the victim includes the loss ofbusiness and the lost productivity of the technicalstaff dedicated to the intrusion. The victim may beable to recoup some or all of the expenses throughrestitution.

Reporting a criminal computer intrusion tolaw enforcement may also help the victim recoverunder insurance policies for damage to its systemor damage inflicted on a third party resulting fromthe intrusion. Director and Officer insurancepolicies, for example, may exclude coverage if asa result of the victim’s decision not to report theintrusion to law enforcement, the intruder inflictedadditional damage to the victim system orattacked another’s network using the victim’ssystem. By reporting the intrusion in the firstinstance, however, the victim decreases the riskthat the carrier could deny a claim made.

Similarly, where a victim’s network iscompromised and used to attack another systemdownstream, the victim may find itself adefendant in civil litigation brought by thatdownstream victim. If the victim has reported tolaw enforcement, it will be able to use the fact thatit called in law enforcement as part of its defenseof a claim, for example, that the victim did nottake reasonable steps to prevent its network frombeing used as a platform to attack the plaintiff.

Making the Case and Selecting theAppropriate Audience

The summits illustrated that informal face-to-face meetings between law enforcement andrepresentatives of potential intrusion victims is avaluable means to address concerns that thevictims may have about reporting. Those industryrepresentatives at the summits that had pre-existing relationships with law enforcementalmost uniformly expressed an understanding ofthe need to report intrusions, and a willingness todo so. Those most reluctant to report, it appearedfrom the summits, were representatives who hadno such relationship. Discussions in the heat of aninvestigation are far less likely to be productivethan frank and informal dialogue prior to anincident. Prosecutors and agents should take thetime to reach out to the large computer operatorsin their jurisdictions and build such relationships.

It is imperative that the message is heard bythose who make the decisions. Some informationsecurity (IS) managers, for example, are veryprotective of “their” systems and will takeumbrage at intrusions. They may not be contentwith simply re-securing the system in the hopethat the hacker will not return, and will want thecriminal arrested and prosecuted. They view lawenforcement as a part of their security system; oneof many resources that responsible networkoperators will use when the security of thenetwork has been compromised. Other ISmanagers may be less receptive to reportingintrusions, even to their own superiors. The veryfact of an intrusion, an IS manager may fear,suggests that he or she failed to properly securethe system. It has also become common for lawenforcement to receive hacking reports from ISmanagers, but receive less than enthusiastic


cooperation from the victim company once thefact of the hack is brought to the attention of thevictim’s higher-level management or generalcounsel. For the message to be effective, it mustbe heard by all the decision makers.

To get the word out, prosecutors and agentsshould take the time to reach out to the largecomputer operators in their jurisdictions. Inaddition to meeting with representatives ofinformation technology companies such asInternet and telecommunications serviceproviders, agents and prosecutors should look toother common targets of hacks includinguniversities, e-commerce and web-based retailers,and any organization that is reliant on largecomputer networks for operations. In addition,many jurisdictions are the home for informationsecurity associations, computer technology barassociations, and similar organizations. Thosegroups can provide law enforcement a solid forumin which to reach many network operators andcounselors. The Computer Crime and IntellectualProperty Section can help in this effort.

The perception that law enforcement andprivate computer network operators have separateand independent responsibilities in the battleagainst hackers is wrong. Although the networkowners have the obligation to secure theirsystems, and law enforcement has an obligation toinvestigate and prosecute when appropriate,

neither can function effectively without the other.Network operators need to view law enforcementas a necessary part of system protection, and lawenforcement agencies need to be able to count onthe cooperation of victims to fulfill theirresponsibilities.òABOUT THE AUTHOR

ëRichard P. Salgado is a trial attorney in theComputer Crime and Intellectual Property Sectionof the Criminal Division of the United StatesDepartment of Justice. In that role, he addresses awide variety of complex legal and policy issuesthat arise in connection with new technologies.His responsibilities include training investigatorsand prosecutors on the legal and policyimplications of emerging technologies and relatedcriminal conduct. Mr. Salgado also prosecutes andprovides advice on computer hacking and networkattacks, and other advanced technology crimesincluding denial of service attacks, logic bombs,viruses and computer extortion, wiretaps andother technology-driven privacy crimes. Mr.Salgado also participates in policy developmentrelating to emerging technologies, and in theDepartment's computer crime industry outreachefforts. Mr. Salgado has also served as leadnegotiator on behalf of the Department indiscussions with communications serviceproviders to ensure that the ability of theDepartment to enforce the laws and protectnational security is not hindered by foreignownership of the providers or foreign locatedfacilities.a


Supervised Release and ProbationRestrictions In Hacker CasesChristopher M.E. PainterDeputy Chief, Computer Crimeand Intellectual Property Section

An often overlooked aspect of sentencing incomputer crime cases are conditions that the courtcan impose as part of a sentence of probation orsupervised release. These conditions can betailored to restrict, among other things, adefendant’s employment, associations, and otheractivities, once he is released from any term ofimprisonment the court imposes to protect thepublic and aid in a defendant’s rehabilitation.Such conditions are routinely imposed in non-computer crime cases. For example, in bank fraudcases or insurance fraud cases, courts oftenimpose conditions restricting a defendant’semployment in those industries. In investmentfraud cases, defendants are prohibited fromhandling other people’s money and intelemarketing cases, courts have prohibiteddefendants from soliciting investors, using namesother than their own and have even restricted theiraccess to telephones.

Appropriate restrictive supervised releaseconditions are even more important in hackercases. In many hacker cases, the defendants haveengaged in illegal conduct over a protractedperiod, are recidivists, or have otherwisedemonstrated that they are unlikely to refrain fromillegal hacking even after a conviction orimprisonment. In these cases, restrictiveconditions that proscribe certain kinds ofotherwise lawful conduct, such as use of aliases,association with other hackers, or, in extremecases, access to computers and computernetworks, serve to protect the public. This isparticularly true when the sentence ofimprisonment is either relatively short or whereprobation is imposed, despite the destructivenessof a defendant’s conduct, or because the fullextent of a defendant’s activities is notdetermined. In other cases, particularly where the

defendant is young, there is a good chance ofrehabilitation. In these cases, supervised release orprobation conditions can aid a defendant’srehabilitation by controlling or monitoring hisaccess to those things that have tempted him inthe past. In either case, appropriately tailoredconditions can aid the probation office and thecourt in monitoring a defendant’s conduct for theperiod of supervised release or probation to ensurehe does not engage in further illegal conduct. If adefendant violates those conditions, the probationofficer can seek revocation or modification ofsupervised release or probation and the court canimpose additional imprisonment or refine therestrictions on the defendant’s conduct.

In general, in addition to certain mandatoryconditions of supervised release, the court mayorder "any other condition it considers to beappropriate" so long as the conditions are"reasonably related" to the factors set forth in18 U.S.C. §§ 3553(a)(a), (1)(2)(B), (a)(2)(C), and(a)(2)(D). 18 U.S.C. § 3583(d). Specifically,conditions of the release must be reasonablyrelated to the following factors:

• the nature and circumstances of theoffense and the history andcharacteristics of the defendant; and

• the need for the sentence imposed –(B) . . . to afford adequate deterrenceto criminal conduct; (C) to protect thepublic from further crimes of thedefendant; and (D) to provide thedefendant with needed educational orvocational training, medical care, orother corrective, treatment in the mosteffective manner. 18 U.S.C. § 3553.

See also United States Sentencing Guidelines("U.S.S.G") § 5D1.3(b). The probation statute,18 U.S.C. § 3563, also allows the imposition ofdiscretionary conditions that are related to "theneed for the sentence imposed . . . to reflect theseriousness of the offense, to promote respect for


the law, and to provide just punishment for theoffense," 18 U.S.C. § 3553(a)(2)(A), whereas thesupervised release statute does not. United Statesv. Eyer, 67 F.3d 1386, 1392 n.8 (9th Cir. 1995).

These conditions are not prerequisites, and acourt may properly impose a condition ofsupervised release that is reasonably related toonly some of these factors. United States v.Johnson, 998 F.2d 696, 697-98 (9th Cir. 1993). The conditions must also involve no greaterdeprivation of liberty than is reasonably necessaryfor the purposes set forth above. 18 U.S.C.§ 3583(d). Furthermore, the conditions must beconsistent with pertinent policy statements issuedby the Sentencing Commission. Id. In settingconditions, including those "restrictingfundamental rights," the sentencing court hasbroad discretion. United States v. Bolinger,940 F.2d 478, 480-81 (9th Cir. 1991).

U.S.S.G. § 5F1.5 allows a court to impose acondition of supervised release restrictingemployment in a specified occupation, business,or profession if it determines that:

• a reasonably direct relationshipexisted between the defendant’soccupation, business, or professionand the conduct relevant to theoffense of conviction; and

• imposition of such a restriction isreasonably necessary to protect thepublic because there is reason tobelieve that, absent such restriction,the defendant will continue to engagein unlawful conduct similar to that forwhich the defendant was convicted.

That section also states that "[i]f the court decidesto impose a condition of probation or supervisedrelease restricting a defendant’s engagement in aspecified occupation, business, or profession, thecourt shall impose the condition for the minimumtime and to the minimum extent necessary toprotect the public." Id.

The range of permissible discretionaryconditions a court can impose is exceptionallybroad and permits a wide range of restrictionsdepending on the facts of an individual case andthe history and prospects of the defendant. In a

first-time hacker case, the restrictions could be assimple as a prohibition against unauthorized useof computer systems, a prohibition againstassociation with others who have engaged inillegal hacking activities, and a directive thatdefendant use his own name when communicatingonline. On the other side of the spectrum, muchbroader conditions may be warranted.

For example, in the prosecution of the prolificand notorious computer hacker Kevin Mitnick, thecourt imposed the following conditions as part ofhis sentence:

Without the prior express writtenapproval of the probation officer:

• The defendant shall not possess oruse, for any purpose, the following:

• Any computer hardwareequipment;

• Any computer softwareprograms;

• Modems;

• Any computer relatedperipheral or supportequipment;

• Portable laptop computers,"personal informationassistants," and derivatives;

• Cellular telephones;

• Televisions or otherinstruments ofcommunication equippedwith on-line, Internet, world-wide web, or other computernetwork access;

• Any other electronicequipment, presentlyavailable or new technologythat becomes available, thatcan be converted to or has asits function the ability to actas a computer system or toaccess a computer system,computer network ortelecommunications network


(except defendant maypossess a "land line"telephone);

• The defendant shall not beemployed in or perform servicesfor any entity engaged in thecomputer, computer software, ortelecommunications business andshall not be in any capacitywherein he has access tocomputers or computer-relatedequipment or software;

• The defendant shall not accesscomputers, computer networks, orother forms of wirelesscommunications himself orthrough third parties;

• The defendant shall not act as aconsultant or advisor toindividuals or groups engaged inany computer-related activity;

• The defendant shall not acquire orpossess any computer codes(including computer passwords),cellular phone access codes, orother access devices that enablethe defendant to use, acquire,exchange, or alter information ina computer ortelecommunications databasesystem;

• The defendant shall not use orpossess any data encryptiondevice, program or technique forcomputers;

• The defendant shall not alter orpossess any altered telephone,telephone equipment, or any othercommunications-relatedequipment;

• The defendant shall only use histrue name and not use any alias orother false identity.

These conditions that both restrict defendant’saccess to computers, computer networks, andcellular phones and restrict his employment in the

computer or telecommunications industries, werejustified and necessitated by defendant’s habitualhacking activities and long history of failing toobey court-ordered restrictions on his conduct.Mitnick engaged in criminal hacking andtelecommunications fraud from the time he was ajuvenile. In 1988, after several state convictionsand revocations of probation for computer fraud,defendant was charged and pled guilty in federalcourt for hacking into Digital EquipmentCorporation computers, stealing proprietarysoftware, and using unauthorized access devices.He was sentenced to twelve months in prisonfollowed by a three year period of supervisedrelease. The judge imposed straightforwardconditions of supervised release prohibitingMitnick from engaging in further illegal accessinto computer or telecommunications networksand prohibiting him from associating with othersknown to have engaged in such conduct.Nevertheless, near the end of his supervisedrelease term, Mitnick hacked into Pacific Bellvoice mail computers and associated in thisendeavor with another individual (and later co-conspirator) who had previously been convictedof computer fraud.

A warrant was issued for Mitnick’s arrest andhe fled, becoming a fugitive for the next two andone half years. During this time, Mitnick engagedin a virtual "hacking spree" gaining unauthorizedaccess to dozens of computer networks usingcloned cellular phones to hide his location and,among other things, stealing valuable proprietarysoftware from some of the country’s largestcellular telephone and computer companies.Mitnick also intercepted and stole computerpasswords, altered computer networks, and brokeinto and read private e-mail. Mitnick wasapprehended in February 1995 in North Carolina.When arrested he was found with cloned cellularphones, over one hundred clone cellular phonecodes, and multiple pieces of false identification.

In imposing the extensive conditions ofsupervised release, the judge held a number ofhearings and based her ruling on defendant’s longhistory of hacking, defendant’s inability tocomply with less onerous restrictions and, mostimportantly, the need to protect the public. Thecourt’s focus on the "tools" Mitnick has habitually


used to commit past criminal conduct, computerand cellular phones, was wholly appropriate givendefendant’s seeming inability to use these tools ina law-abiding manner. Given his past extensiveand repeated criminal conduct, and the prospectthat, unsupervised, he would be tempted to engagein the conduct again, the court expressly statedthat the conditions were designed to protect thecommunity. The court’s occupational restrictionsprohibiting his employment in the computer andtelecommunications industries were similarlydesigned primarily to protect the public fromfuture illegal conduct by removing both the toolsMitnick could use to commit this conduct and thetools that might tempt him to furthertransgressions.

Of course, conditions as broad as the onesimposed in the Mitnick case must be justified bythe facts of the case at issue. If such conditions arejustified by a defendant’s history and the nature ofthe offense, and if the judge makes an adequaterecord to support his or her findings, they shouldsurvive any challenge raised on appeal. Commonchallenges to conditions of supervised releaserestricting a defendant’s association and activitiesare that such restrictions impermissibly restrictotherwise legal activities, that they violate thedefendant’s First Amendment rights, or areimpermissibly vague or ambiguous. Mitnickchallenged the conditions imposed by the court oneach of these grounds but was flatly rejected bythe Ninth Circuit Court of Appeals. United Statesv. Kevin Mitnick, No. 97-50365, 1998 WL255343(9th Cir. May 20, 1998).

The argument that broad supervised releaseconditions restrict otherwise lawful activity missesthe point. Courts have frequently curtailedactivities that, though otherwise legitimate,nevertheless might tempt a defendant to engage infurther illegal conduct. See United States v. Lowe,654 F.2d 562, 566 (9th Cir. 1981) (court couldproperly restrict access within 250 feet of militarybase, thereby effectively precluding legitimateleafleting activity, to remove temptation ofseparate criminal conduct – trespassing on base);United States v. Bolinger, 940 F.2d 478, 480 (9thCir. 1991) ("Probation conditions may seek toprevent reversion into former crime-inducinglifestyle by barring contact with old haunts and

associates, even though the activities may belegal"); United States v. Peete, 919 F.2d 1168,1181 (6th Cir. 1990) (proper to prohibit defendantconvicted of violating Hobbs Act from runningfor public office to insulate him from temptationof same environment and protect the public);United States v. Turner, 44 F.3d 900, 903 (10thCir. 1995), (court properly ordered defendant notto picket abortion clinics because "it is not toofantastic to speculate that if she were permitted toprotest at an abortion clinic she might not be ableto restrict her activities within lawful parameter");United States v. Choate, 101 F.3d 562, 566 (8thCir. 1996) (defendant properly prohibited fromself-employment because of risk that prior"excesses of salesmanship" could again lead toillegal conduct if not supervised).

In Malone v. United States, 502 F.2d 554 (9thCir. 1974), defendant was convicted of unlawfulexportation of firearms to Ireland and, as part ofhis sentence, was ordered not to associate with, orbelong to, any Irish organization, group, ormovement, not to be employed in any capacitythat directly or indirectly associated him with suchgroups and not to visit any Irish pubs. Id. at 555.In upholding these restrictions, the courtrecognized that the incidental chance oftemptation warranted these conditions despitetheir usually lawful character:

The conditions here involved are not intendedto infer that each member of a group ororganization with which the appellant isforbidden to associate will necessarily leadhim into criminal activities or be a badinfluence. It is the incidental association withone or more who might lead him to futurecriminality that the court seeks to prevent. Ifthe trial judge could only prohibit activeassociation with a group having an illegalpurpose, then the court would be, in effect,restricted to the standard condition that theprobationer obey the law. It does not appearsuch limitation was intended. Here the crimestemmed from high emotional involvementwith Irish Republic sympathizers.

Id at 556.

Challenges based on an impermissiblerestriction of a defendant’s rights of expression or


association should be similarly unavailing.Despite the growing importance of the Internet asa means of communication, restrictions on accessto that technology are proper if related to andreasonably necessary to promote the goals ofsentencing. It is axiomatic that those convicted ofcriminal conduct are "properly subject tolimitations from which ordinary citizens arefree[.]" United States v. Consuelo-Gonzalez,521 F.2d 259, 265 (9th Cir. 1975). Accordingly,the district court retains its broad discretion insetting conditions of supervised release andprobation, even where fundamental rights areinvolved. Bolinger, 940 F.2d at 480. Althoughconditions restricting fundamental rights arereviewed carefully, Lowe, 654 F.2d at 567, thereis no "presumption, however weak, that suchlimitations are impermissible". Consuelo-Gonzalez, 521 F.2d at 265. As the Ninth Circuitstated in Consuelo-Gonzalez:

Merely because a convicted individual’sfundamental rights are involved should notmake a probation condition which limits thoserights automatically suspect. The developmentof a sensible probationary system necessarilyrequires that the trial court be vested withbroad discretionary powers. It also requiresthat any condition which is imposed followingconviction, whether or not it touches upon"preferred" rights, must be viewed in thecontext of the goals underlying the Act. Thus,the crucial determination in testingprobationary conditions is not the degree of"preference" which may be accorded thoserights limited by the condition, but ratherwhether the limitations are primarily designedto affect the rehabilitation of the probationeror insure the protection of the public.

Consuelo-Gonzalez, 521 F.2d at 265 n.14. Therestriction of even "preferred rights" is valid solong as they are: "(1) primarily designed to meetthe ends of rehabilitation and protection of thepublic and (2) reasonably related to those ends."Bolinger, 940 F.2d at 480. Like any other specialcondition of supervised release, such conditionsalso must involve no greater deprivation of libertythan is reasonably necessary. 18 U.S.C. § 3583(d).

Courts have routinely deferred to thesentencing court’s broad discretion in settingconditions notwithstanding the implication offundamental rights. See, e.g., Malone, 502 F.2d at556 (upholding restrictions limiting associationwith all Irish groups against First Amendmentclaim); Lowe, 654 F.2d at 566-67 (upholdingconditions that effectively precluded defendantsfrom distributing literature to employees ofmilitary base or attend certain weekly meetingsagainst free speech and association claim); Peete,919 F.2d at 1118 (prohibition on holding publicoffice upheld); United States v. Bird, 124 F.3d667, 684 (5th Cir. 1997) (rejecting FirstAmendment challenge to condition that defendantstay 1,000 feet away from abortion clinics wherehe had previously been convicted for trespassingat abortion clinics); United States v. Showalter,933 F.2d 573, 575 (7th Cir. 1991) (conditionsupheld requiring the defendant convicted ofpossession of unregistered firearm to avoidassociating with other skinheads and neo-Nazis).

As long as restrictions are reasonably relatedto the offense and defendant’s history, areprimarily designed to protect the public andpromote rehabilitation by preventing recidivism,are expressly related to those ends, andparticularly in light of defendant’s past conduct,involve no greater deprivation of liberty than isreasonably necessary to achieving those ends,they should survive a First Amendment challenge.

A final likely claim is that broad conditionsrestricting access to computers are fatally vagueand overbroad. Mitnick, for example, argued thatbecause almost everything from automobiles toATMs and toasters include computer chips, hewould be forced to live as a hermit or commitunintentional violations of supervised release.Both the District Court and Court of Appealsrejected this argument stating that conditionsrestricting computer access should be read in acommon sense manner. Although due processrequires a defendant to be given fair warningbefore he forfeits his liberty, see United States v.Grant, 816 F.2d 440, 442 (9th Cir. 1987).

[f]air warning is not to be confused with thefullest or most pertinacious, warningimaginable. Conditions of probation do not


have to be cast in letters six feet high, or todescribe every possible permutation, or spellout every last self-evident detail [they] mayafford fair warning even if not precise to thepoint of pedantry. In short, conditions ofprobation can be written – and must be read ina common sense way.

United States v. Gallo, 20 F.3d 7, 11 (1st Cir.1994). (internal citations omitted)

The scope and detail of supervised releaserestrictions in hacker cases will be highlydependent on the facts of the particular case andthe history of the defendant. Nevertheless,prosecutors should be aware these conditions canbe used as a powerful tool to protect the publicand aid in rehabilitation. Accordingly, prosecutorsshould consider appropriate conditions whennegotiating a plea agreement or in argumentspresented during sentencing proceedings.òABOUT THE AUTHOR

ëChristopher M.E. Painter is a Deputy Chief ofthe Computer Crime and Intellectual PropertySection at the Department of Justice. From 1991to March 2000, Mr. Painter was a criminalprosecutor in the U.S. Attorney’s Office for theCentral District of California (Los Angeles). Sincetaking that post, Mr. Painter specialized in theinvestigation and prosecution of high-tech,intellectual property and computer crimes andserved as a Computer Crime and Internet FraudCoordinator for his office.

Mr. Painter has investigated and prosecutedsome of the most significant and high profilehigh-tech cases in the country, including theprosecution of notorious computer hacker KevinMitnick, the prosecution of the first Internet stockmanipulation case involving the posting of abogus Bloomberg News page falsely reporting thesale of a company called PairGain that caused itsstock to soar, prosecution of another internet stockmanipulation case, involving former and presentUCLA students who hyped stocks on Yahoo byposting false spam messages, and the prosecutionof one of the first Internet auction fraud cases. Mr.Painter co-chairs an ABA subcommitteeconcerning high-tech crimes and serves on several

Department of Justice and interagency workinggroups relating to computer and Internet hackers,Internet fraud investigations and prosecutions,electronic evidence, intellectual property crimes,and thefts of trade secrets. He has frequentlylectured to private groups and at the NationalAdvocacy Center, appeared on 60 Minutes, CNN,CBS Morning News, the BBC, and has testifiedbefore Congress concerning computer crimeissues.a

UPCOMING PUBLICATIONSMay 2001 Cybercrime II

July 2001 Tax Issues

Request for Subscription UpdateIn an effort to provide the UNITED STATES ATTORNEYS' BULLETIN to all who wish to receive, we are

requesting that you e-mail Nancy Bowman ([email protected]) with the following information:Name, title, complete address, telephone number, number of copies desired, and e-mail address. If there ismore than one person in your office receiving the BULLETIN, we ask that you have one receiving contactand make distribution within your organization. If you do not have access to e-mail, please call 803-544-5158. Your cooperation is appreciated.

computer crimes and intellectual - welcome to the united states

Documents