Aleksey Vladimirovich Ivanov (Ivanov) was indicted, on charges of conspiracy, computer fraud and related activity, extortion and possession of unauthorized access devices. The government alleges that Ivanov hacked into OIB's computer system and obtained key passwords. OIB collects and maintains customer credit card information. OIB received a series of unsolicited emails from Ivanov seeking demands for money to make their systems secure. The government contends that Ivanovs extortionate communications originated from an email account at Lightrealm.com and Internet Service Provider based in Washington. It contends that while he was in Russia Ivanov gained access to the Lightrealm computer network and that he used that system to communicate with OIB also while he was in Russia. The parties agree that the defendant was physically in Russia.
Ivanov has moved to dismiss the indictment on the grounds that the court lacks subject matter jurisdiction. Ivanov argues that because it is alleged that he was physically located in Russia when the offenses were committed, he cannot be charged with violations of United States law.
The Court examined began by examining the issues in terms of the intended and actual detrimental effects of the charged offenses occurred within the United States. It then considered the issues terms of legislation which specifically had extraterritorial application.
A. The Intended and Actual Detrimental Effects of the Charged Offenses Occurred Within the United States.
The Court began by noting the circumstances in which it is permissible to United States law to person outside its territory. As noted by the court in United States v. Muench, 694 F.2d 28 (2d Cir.1982), "[t]he intent to cause effects within the United States ... makes it reasonable to apply to persons outside United States territory a statute which is not expressly extraterritorial in scope." The court also referred to United States v. Steinberg, 62 F.2d 77, 78 (2d Cir.1932) and Marc Rich & Co., A.G. v. United States, 707 F.2d 663, 666 (2d Cir.1983). It further noted the Supreme Court has quoted with approval the following language from Moore's International Law Digest: The principle that a man, who outside of a country willfully puts in motion a force to take effect in it, is answerable at the place where the evil is done, is recognized in the criminal jurisprudence of all countries. And the methods which modern invention has furnished for the performance of criminal acts in that manner has made this principle one of constantly growing importance and of increasing frequency of application (ref. Ford v. United States, 273 U.S. 593, 623, 47 S.Ct. 531, 71 L.Ed. 793 (1927). Moreover, the court noted in Rich that: [I]t is certain that the courts of many countries, even of countries which have given their criminal legislation a strictly territorial character, interpret criminal law in the sense that offences, the authors of which at the moment of commission are in the territory of another State, are nevertheless to be regarded as having been committed in the national territory, if one of the constituent elements of the offence, and more especially its effects, have taken place there (The S.S. Lotus, 1927 P.C.I.J., ser. A, No. 10, at 23, reprinted in 2 Hudson, World Court Reports, 23, 38 (1935). Rich, 707 F.2d at 666).
On the facts here, all of the intended and actual detrimental effects of the substantive offenses Ivanov is charged with in the indictment occurred within the United States.
In Counts Two and Three, the defendant is charged with accessing OIB's computers, located in the USA. It was irrelevant that the computers were accessed remotely as the detriment occurred in Connecticut. In order for Ivanov to violate § 1030(a)(4), it was necessary that he do more than merely access OIB's computers and it was noted that Count Two charges further that the "something of value" was the data obtained from OIB's computers (See United States v. Czubinski, 106 F.3d 1069, 1078 (1st Cir.1997)). At this point he was able to control the data, e.g., credit card numbers and merchant account numbers, stored in the OIB computers; Ivanov could copy, sell, transfer, alter, or destroy that data. That data is intangible property of OIB. See Carpenter v. United States, 484 U.S. 19, 25, 108 S.Ct. 316, 98 L.Ed.2d 275 (1987) and New York Credit Men's Ass'n v. Mfrs. Disc. Corp., 147 F.2d 885, 887 (2d Cir.1945)). Ivanov gained root access to OIB's computers, he had complete control over that data, and consequently had possession of it. The fact that he subsequently moved that data to a computer located in Russia, does not alter the fact that at the point when Ivanov first possessed that data, it was on OIB's computers in Vernon, Connecticut.
Count Three charges further that when he accessed OIB's computers, Ivanov obtained information from protected computers –this also occurred within the United States.
Count Six charges that Ivanov transmitted a threat to cause damage to protected computers. The detrimental effect prohibited by § 1030(a)(7), namely the receipt by an individual or entity of a threat to cause damage to a protected computer, occurred in Vernon, Connecticut because that is where OIB was located, where it received the threat, and where the protected computers were located. The analysis is the same as to Count Seven, the charge under the Hobbs Act.
Count Eight charges that Ivanov knowingly and with intent to defraud possessed over ten thousand unauthorized access devices, i.e., credit card numbers and merchant account numbers. For the reasons discussed above, although it is charged that Ivanov later transferred this intangible property to Russia, he first possessed it while it was on OIB's computers in Vernon, Connecticut. Had he not possessed it here, he would not have been able to transfer it to his computer in Russia. Thus, the detrimental effect prohibited by the statute occurred within the United States.
Finally, Count One charges that Ivanov and others conspired to commit each of the substantive offenses charged in the indictment. The Second Circuit has stated that "the jurisdictional element should be viewed for purposes of the conspiracy count exactly as we view it for purposes of the substantive offense ...." (United States v. Blackmon, 839 F.2d 900, 910 (2d Cir.1988) United States v. Kim, 246 F.3d 186, 191, n. 2 (2d Cir.2001)). Federal jurisdiction over a conspiracy charge "is established by proof that the accused planned to commit a substantive offense which, if attainable, would have violated a federal statute, and that at least one overt act has been committed in furtherance of the conspiracy." United States v. Giordano, 693 F.2d 245, 249 (2d Cir.1982). Here, Ivanov is charged with planning to commit substantive offenses in violation of federal statutes, and it is charged that at least one overt act was committed in furtherance of the conspiracy. As discussed above, the court has jurisdiction over the underlying substantive charges. Therefore, the court has jurisdiction over the conspiracy charge, at a minimum, to the extent it relates to Counts Two, Three, Six, Seven or Eight.
The court concluded Ivanov is charged with in the indictment occurred within the United States whether or not the statutes under which the substantive offenses are charged are intended by Congress to apply extraterritorially, because the intended and actual detrimental effects of the substantive offenses
B. Intended Extraterritorial Application
The defendant is charged with substantive offenses in violation of 18 U.S.C. § 1951, 18 U.S.C. § 1030 and 18 U.S.C. § 1029, and with conspiracy in violation of 18 U.S.C. § 371 and the defendant's motion should also be denied because, as to each of the statutes under which the defendant has been indicted for a substantive offense, there is clear evidence that the statute was intended by Congress to apply extraterritorially. This fact is evidenced by both the plain language and the legislative history of each of these statutes. The court noted while there is a presumption that Congress intends its acts to apply only within the United States, and not extraterritorially- this "presumption against extraterritoriality" may be overcome by showing "clear evidence of congressional intent to apply a statute beyond our borders ...." (U.S. v. Gatlin, 216 F.3d 207, 211 (2d Cir.2000) and Equal Employment Opportunity Comm. v. Arabian American Oil Co., 499 U.S. 244, 248, 111 S.Ct. 1227, 113 L.Ed.2d 274 (1991))
1. 18 U.S.C. § 1951: The Hobbs Act provides that whoever in any way or degree obstructs, delays, or affects commerce or the movement of any article or commodity in commerce, by robbery or extortion or attempts or conspires so to do, or commits or threatens physical violence to any person or property in furtherance of a plan or purpose to do anything in violation of this section shall be fined under this title or imprisoned not more than twenty years, or both. The Supreme Court has stated that the Hobbs Act "speaks in broad language, manifesting a purpose to use all the constitutional power Congress has to punish interference with interstate commerce by extortion, robbery or physical violence", (Stirone v. United States, 361 U.S. 212, 215, 80 S.Ct. 270, 4 L.Ed.2d 252 (1960)). The Court previosly concluded that: [E]ven if none of the [defendants'] overt acts had occurred in this country ... Congress could give the district court jurisdiction under the commerce clause so long as [the defendants'] activities affected [the victim's] commercial ventures in interstate commerce within the United States. (ref Stirone v. United States, 361 U.S. 212, 215, 80 S.Ct. 270, 272, 4 L.Ed.2d 252 (1960) and United States v. Inigo, 925 F.2d 641, 648 (3d Cir.1991)). The Court stated that based on the foregoing the Hobbs Act encompasses not only all extortionate interference with interstate commerce by means of conduct occurring within the United States, but also outside the United States where commerce is affected within the borders of the United States. It is immaterial whether Ivanov's alleged conduct can be said to have taken place entirely outside the United States, because that conduct clearly constituted "interference with interstate commerce by extortion", Stirone, 361 U.S. at 215, 80 S.Ct. 270, in violation of the Hobbs Act. Consequently, the court has jurisdiction over this charge against him.
2. 18 U.S.C. § 1030: The Computer Fraud and Abuse Act
Noting The Computer Fraud and Abuse Act ("CFAA") was amended in 1996 relevant to the issue of extraterritoriality, including a change in the definition of "protected computer" so that it included any computer "which is used in interstate or foreign commerce or communication." The court noted the 1996 amendments also added provisions which explicitly address "interstate or foreign commerce", and add to the definition of "government entity" the clause "any foreign country, and any state, province, municipality or other political subdivision of a foreign country". It is clear Congress intended the CFAA to apply to computers used "in interstate or foreign commerce or communication." While the defendant argues that this language is ambiguous the court disagrees. The Supreme Court has often stated that "a statute ought, upon the whole, to be so construed that, if it can be prevented, no clause, sentence, or word shall be superfluous, void, or insignificant" (Regions Hosp. v. Shalala, 522 U.S. 448, 467, 118 S.Ct. 909, 139 L.Ed.2d 895 (1998)). In order for the word "foreign" to have meaning, and not be superfluous, it must mean something other than "interstate". In other words, "foreign" in this context must mean international. Thus, Congress has clearly manifested its intent to apply § 1030 to computers used either in interstate or in foreign commerce. The court noted the legislative history of the CFAA supports this reading of the plain language of the statute and a Senate Judiciary Committee report explaining its reasons specifically noted its concern that the statute as it existed prior to the 1996 amendments did not cover "computers used in foreign communications or commerce, despite the fact that hackers are often foreign-based." The Committee cited two specific cases in which foreign-based hackers had infiltrated computer systems in the United States, as examples of the kind of situation the amendments were intended to address: For example, the 1994 intrusion into the Rome Laboratory at Grifess Air Force Base in New York, was perpetrated by a 16-year-old hacker in the United Kingdom. More recently, in March 1996, the Justice Department tracked down a young Argentinean man who had broken into Harvard University's computers from Buenos Aires and used those computers as a staging ground to hack into many other computer sites, including the Defense Department and NASA. It concluded Congress has the power to apply its statutes extraterritorially, and in the case of 18 U.S.C. § 1030, it has clearly manifested its intention to do so.
3. 18 U.S.C. § 1029: The Access Device Statute
The court noted Section 1029 of Title 18 of the United States Code provides for the imposition of criminal sanctions on any person who uses, possesses or traffics in a counterfeit access device "if the offense affects interstate or foreign commerce." In addition the court referred to centuries old canon of statutory construction to the effect that a statute should be construed so that no word or phrase is rendered superfluous (Platt v. Union Pac. R.R. Co., 99 U.S. 48, 58, 9 Otto 48, 25 L.Ed. 424 (1878), noting that the "rules of statutory construction declare that a legislature is presumed to have used no superfluous words."). Therefore, based on the same reasoning applied above in the discussion of § 1030, the court concludes that the plain language of § 1029 indicates a congressional intent to apply the statute extraterritorially. The parties agreed at oral argument that the legislative history of 18 U.S.C. § 1029 mirrors that of § 1030. Therefore, the discussion above of the congressional intent behind § 1030 also applies to § 1029. Accordingly, the court finds that this section, too, was intended to apply extraterritorially.
4. 18 U.S.C. § 371: The Conspiracy Statute
The Second Circuit has recently noted that where the court has jurisdiction over the underlying substantive criminal counts against a defendant, the court also has jurisdiction over the conspiracy counts. See Kim, 246 F.3d at 191, n. 2. A court may "infer the extra-territorial reach of conspiracy statutes on the basis of a finding that the underlying substantive statute reached extra-territorial offenses, even though the conspiracy charges came under separate code sections ...." United States v. Evans, 667 F.Supp. 974, 981 (S.D.N.Y. 1987) (internal quotation marks and citations omitted). See also United States v. Yousef, 927 F.Supp. 673, 682 (S.D.N.Y. 1996) ("Extraterritorial jurisdiction over a conspiracy charge depends on whether extraterritorial jurisdiction exists as to the underlying substantive crime.") Because the court finds that each of the underlying substantive statutes in this case was intended by Congress to apply extraterritorially, it also finds that it has jurisdiction over the conspiracy charge.
The court concluded for the reasons above there is jurisdiction and denied the defendant's motion.
He was found guilty on 20 counts of conspiracy, various computer crimes, and fraud and sentenced to 36 months in prison. In addition he was ordered to pay restitution of nearly $700,000 for the losses he caused to companies such as PayPal, Speakeasy, Nara Bank and Central National Bank.
US District Court, District of Connecticut.
As has been remarked one of the more significant aspects of computer-related crime is its global reach. Crimes can be committed in one country affecting individuals in other countries 'this poses great challenges for the detection, investigation and prosecution of offenders’. The present case illustrates the the difficulties in prosecuting crimes of this nature. There is firstly the problem of where the offence occurred in order to decide which law to apply and, secondly, there may be problems obtaining evidence and ensuring that the offender can be located and tried before a court (P. Grabosky). In this case it can be seen that the FBI agents were creative on all fronts
The FBI created a bogus computer security company and lured two computer hackers (Gorshkov and Ivanov) from Russia to the US for ‘interviews’ with the company. Both were asked to demonstrate their skills by hacking into a network set up by the FBI, which they did through accessing their own computer systems in Russia via the Internet. A keystroke logger was installed on the laptops used, which enabled the FBI to then access the Russian computers, download incriminating evidence, and eventually allowing the FBI to prosecute the defendants for their having previously hacked the systems of several US corporations including banks, defrauding thousands of customers of money and stealing their private financial and personal identifying information. Ivanov and Gorshkov were indicted under different aspects of the law and their cases were tried separately and indeed in different geographic locations in the United States. Nations normally assert their jurisdiction according to one or more of the following principles Territorial jurisdiction; Jurisdiction based on nationality; Universal Jurisdiction; and the Effects Doctrine.
United States v. Ivanov was the first case to apply the Computer Fraud and Abuse Act (CFAA) extraterritorially. The district court in Ivanov specifically held that, for the CFAA, the government overcame the presumption against extraterritoriality because the CFAA uses the key terms “interstate or foreign commerce or communication,” to apply to computers. By using both the words “interstate” and “foreign”, made it clear Congress intended the CFAA to apply both within the United States and abroad.
The case is also authority for the effects/objective test as it is clear the court favoured an expansive concept of extraterritorial jurisdiction. The court found even if the statutory language and history is silent or ambiguous, a court can use the effects test to determine extraterritorial application (see Greenplate). Under the effects test, a country may hold a person liable under its laws “for conduct outside its borders that has consequences within its borders which the [country] reprehends . . . .” and the court determined that the effect of Ivanov’s conduct in the United States gave U.S. courts jurisdiction, even though Ivanov used a complex computer process that he controlled from Russia, Ivanov purposefully accessed the OIB company’s computer without authorization and obtained the valuable data in the United States, which the CFAA prohibits (although it can be noted he also accessed a specific computer in the United States in revealing his fraud to the FBI).
And although the court had ruled that the laws which Ivanov violated already extended extraterritorially, the Patriot Act was enacted shortly thereafter and increased the scope of the Computer Fraud and Abuse Act to expressly cover machines outside the United States. But arguably a clearer legal framework covering the various possibilities of cybercrime has yet to emerge in terms of the various doctrinal and indeed technical issues.