Cybercrime

Acts against the Confidentiality, Integrity and Availability of Computer, Data and Systems

• Illegal access to a computer system
• Illegal access of computer data
• Interception of computer data
• Illegal data/system interference
• Acquisition of computer data
• Breach of privacy/data protection measures

Computer-related acts for personal or financial gain

• Fraud

Keywords

• Illegal access to a computer system/data
• Interception/acquisition of computer data
• Breach of privacy/data protection measures
• Electronic Evidence
• Cybersecurity infrastructures
• Digital forensics

United States v. Ivanov

UNODC No.:
USAx103

Fact Summary

Aleksey Vladimirovich Ivanov (Ivanov) was indicted, on charges of conspiracy, computer fraud and related activity, extortion and possession of unauthorized access devices. The government alleges that Ivanov hacked into OIB's computer system and obtained key passwords. OIB collects and maintains customer credit card information. OIB received a series of unsolicited emails from Ivanov seeking demands for money to make their systems secure. The government contends that Ivanovs extortionate communications originated from an email account at Lightrealm.com and Internet Service Provider based in Washington. It contends that while he was in Russia Ivanov gained access to the Lightrealm computer network and that he used that system to communicate with OIB also while he was in Russia. The parties agree that the defendant was physically in Russia.
Ivanov has moved to dismiss the indictment on the grounds that the court lacks subject matter jurisdiction. Ivanov argues that because it is alleged that he was physically located in Russia when the offenses were committed, he cannot be charged with violations of United States law.



Commentary and Significant Features

As has been remarked one of the more significant aspects of computer-related crime is its global reach. Crimes can be committed in one country affecting individuals in other countries 'this poses great challenges for the detection, investigation and prosecution of offenders’. The present case illustrates the the difficulties in prosecuting crimes of this nature. There is firstly the problem of where the offence occurred in order to decide which law to apply and, secondly, there may be problems obtaining evidence and ensuring that the offender can be located and tried before a court (P. Grabosky).   In this case it can be seen that the FBI agents were creative on all fronts

The FBI created a bogus computer security company and lured two computer hackers (Gorshkov and Ivanov) from Russia to the US for ‘interviews’ with the company. Both were asked to demonstrate their skills by hacking into a network set up by the FBI, which they did through accessing their own computer systems in Russia via the Internet. A keystroke logger was installed on the laptops used, which enabled the FBI to then access the Russian computers, download incriminating evidence, and eventually allowing the FBI to prosecute the defendants for their having previously hacked the systems of several US corporations including banks, defrauding thousands of customers of money and stealing their private financial and personal identifying information.  Ivanov and Gorshkov were indicted under different aspects of the law and their cases were tried separately and indeed in different geographic locations in the United States.  Nations normally assert their jurisdiction according to one or more of the following principles Territorial jurisdiction; Jurisdiction based on nationality; Universal Jurisdiction; and the Effects Doctrine.

United States v. Ivanov was the first case to apply the Computer Fraud and Abuse Act (CFAA) extraterritorially. The district court in Ivanov specifically held that, for the CFAA, the government overcame the presumption against extraterritoriality because the CFAA uses the key terms “interstate or foreign commerce or communication,” to apply to computers. By using both the words “interstate” and “foreign”, made it clear Congress intended the CFAA to apply both within the United States and abroad.
The case is also authority for the effects/objective test as it is clear the court favoured an expansive concept of extraterritorial jurisdiction.  The court found even if the statutory language and history is silent or ambiguous, a court can use the effects test to determine extraterritorial application (see Greenplate). Under the effects test, a country may hold a person liable under its laws “for conduct outside its borders that has consequences within its borders which the [country] reprehends . . . .” and the court  determined that the effect of Ivanov’s conduct in the United States gave U.S. courts jurisdiction, even though Ivanov used a complex computer process that he controlled from Russia, Ivanov purposefully accessed the OIB company’s computer without authorization and obtained the valuable data in the United States, which the CFAA prohibits (although it can be noted he also accessed a specific computer in the United States in revealing his fraud to the FBI).
And although the court had ruled that the laws which Ivanov violated already extended extraterritorially, the Patriot Act was enacted shortly thereafter and increased the scope of the Computer Fraud and Abuse Act to expressly cover machines outside the United States. But arguably a clearer legal framework covering the various possibilities of cybercrime has yet to emerge in terms of the various doctrinal and indeed technical issues.

Sentence Date:
2001-12-06

Cross Cutting

Liability

... for

• completed offence

... as involves

• principal offender(s)

Application of the Convention

Details

• occurred across one (or more) international borders (transnationally)

Involved Countries

United States of America

Russian Federation

Investigation

Computer specific investigative measures

• Search for computer hardware or data
• Seizure of computer hardware or data
• Expedited preservation of computer data
• Informal approaches to obtaining data from third parties
• Trans-border access to a computer system or data
• Use of remote forensic tools

Details

• Special investigative techniques
• undercover operation(s)
• Element of transnationality (Article 3 (1) and 3 (2) CTOC)
Comments:
Federal Bureau of Investigation 'sting'
 

Confiscation & Seizure

• Conviction / non-conviction based (art.13.6)

International Cooperation

Measures

• Preservation of Computer Data

Procedural Information

Legal System:
Common Law
Latest Court Ruling:
Court of 1st Instance
Type of Proceeding:
Criminal
 
 
Proceeding #1:
  • Stage:
    first trial
  • Is the decision appealable?:
    Yes
  • Official Case Reference:
    United States v Ivanov No. 300CR00183AWT. 2001
  • Court

    • Criminal
    Description:

    The Court examined began by examining the issues in terms of the intended and actual detrimental effects of the charged offenses occurred within the United States. It then considered the issues terms of legislation which specifically had extraterritorial application.

    A. The Intended and Actual Detrimental Effects of the Charged Offenses Occurred Within the United States.
    The Court began by noting the circumstances in which it is permissible to United States law to person outside its territory.  As noted by the court in United States v. Muench, 694 F.2d 28 (2d Cir.1982), "[t]he intent to cause effects within the United States ... makes it reasonable to apply to persons outside United States territory a statute which is not expressly extraterritorial in scope." The court also referred to United States v. Steinberg, 62 F.2d 77, 78 (2d Cir.1932) and Marc Rich & Co., A.G. v. United States, 707 F.2d 663, 666 (2d Cir.1983). It further noted the Supreme Court has quoted with approval the following language from Moore's International Law Digest:  The principle that a man, who outside of a country willfully puts in motion a force to take effect in it, is answerable at the place where the evil is done, is recognized in the criminal jurisprudence of all countries. And the methods which modern invention has furnished for the performance of criminal acts in that manner has made this principle one of constantly growing importance and of increasing frequency of application (ref. Ford v. United States, 273 U.S. 593, 623, 47 S.Ct. 531, 71 L.Ed. 793 (1927). Moreover, the court noted in Rich that: [I]t is certain that the courts of many countries, even of countries which have given their criminal legislation a strictly territorial character, interpret criminal law in the sense that offences, the authors of which at the moment of commission are in the territory of another State, are nevertheless to be regarded as having been committed in the national territory, if one of the constituent elements of the offence, and more especially its effects, have taken place there (The S.S. Lotus, 1927 P.C.I.J., ser. A, No. 10, at 23, reprinted in 2 Hudson, World Court Reports, 23, 38 (1935). Rich, 707 F.2d at 666).

    On the facts here, all of the intended and actual detrimental effects of the substantive offenses Ivanov is charged with in the indictment occurred within the United States.

    In Counts Two and Three, the defendant is charged with accessing OIB's computers, located in the USA. It was irrelevant that the computers were accessed remotely as the detriment occurred in Connecticut. In order for Ivanov to violate § 1030(a)(4), it was necessary that he do more than merely access OIB's computers and it was noted that Count Two charges further that the "something of value" was the data obtained from OIB's computers (See United States v. Czubinski, 106 F.3d 1069, 1078 (1st Cir.1997)).   At this point he was able to control the data, e.g., credit card numbers and merchant account numbers, stored in the OIB computers; Ivanov could copy, sell, transfer, alter, or destroy that data. That data is intangible property of OIB. See Carpenter v. United States, 484 U.S. 19, 25, 108 S.Ct. 316, 98 L.Ed.2d 275 (1987) and New York Credit Men's Ass'n v. Mfrs. Disc. Corp., 147 F.2d 885, 887 (2d Cir.1945)). Ivanov gained root access to OIB's computers, he had complete control over that data, and consequently had possession of it. The fact that he subsequently moved that data to a computer located in Russia, does not alter the fact that at the point when Ivanov first possessed that data, it was on OIB's computers in Vernon, Connecticut.

    Count Three charges further that when he accessed OIB's computers, Ivanov obtained information from protected computers –this also occurred within the United States.

    Count Six charges that Ivanov transmitted a threat to cause damage to protected computers. The detrimental effect prohibited by § 1030(a)(7), namely the receipt by an individual or entity of a threat to cause damage to a protected computer, occurred in Vernon, Connecticut because that is where OIB was located, where it received the threat, and where the protected computers were located. The analysis is the same as to Count Seven, the charge under the Hobbs Act.

    Count Eight charges that Ivanov knowingly and with intent to defraud possessed over ten thousand unauthorized access devices, i.e., credit card numbers and merchant account numbers. For the reasons discussed above, although it is charged that Ivanov later transferred this intangible property to Russia, he first possessed it while it was on OIB's computers in Vernon, Connecticut. Had he not possessed it here, he would not have been able to transfer it to his computer in Russia. Thus, the detrimental effect prohibited by the statute occurred within the United States.

    Finally, Count One charges that Ivanov and others conspired to commit each of the substantive offenses charged in the indictment. The Second Circuit has stated that "the jurisdictional element should be viewed for purposes of the conspiracy count exactly as we view it for purposes of the substantive offense ...." (United States v. Blackmon, 839 F.2d 900, 910 (2d Cir.1988)  United States v. Kim, 246 F.3d 186, 191, n. 2 (2d Cir.2001)). Federal jurisdiction over a conspiracy charge "is established by proof that the accused planned to commit a substantive offense which, if attainable, would have violated a federal statute, and that at least one overt act has been committed in furtherance of the conspiracy." United States v. Giordano, 693 F.2d 245, 249 (2d Cir.1982). Here, Ivanov is charged with planning to commit substantive offenses in violation of federal statutes, and it is charged that at least one overt act was committed in furtherance of the conspiracy. As discussed above, the court has jurisdiction over the underlying substantive charges. Therefore, the court has jurisdiction over the conspiracy charge, at a minimum, to the extent it relates to Counts Two, Three, Six, Seven or Eight.

    The court concluded Ivanov is charged with in the indictment occurred within the United States whether or not the statutes under which the substantive offenses are charged are intended by Congress to apply extraterritorially, because the intended and actual detrimental effects of the substantive offenses

    B. Intended Extraterritorial Application

    The defendant is charged with substantive offenses in violation of 18 U.S.C. § 1951, 18 U.S.C. § 1030 and 18 U.S.C. § 1029, and with conspiracy in violation of 18 U.S.C. § 371 and the defendant's motion should also be denied because, as to each of the statutes under which the defendant has been indicted for a substantive offense, there is clear evidence that the statute was intended by Congress to apply extraterritorially. This fact is evidenced by both the plain language and the legislative history of each of these statutes. The court noted while there is a presumption that Congress intends its acts to apply only within the United States, and not extraterritorially- this "presumption against extraterritoriality" may be overcome by showing "clear evidence of congressional intent to apply a statute beyond our borders ...." (U.S. v. Gatlin, 216 F.3d 207, 211 (2d Cir.2000) and Equal Employment Opportunity Comm. v. Arabian American Oil Co., 499 U.S. 244, 248, 111 S.Ct. 1227, 113 L.Ed.2d 274 (1991))

    1. 18 U.S.C. § 1951: The Hobbs Act provides that whoever in any way or degree obstructs, delays, or affects commerce or the movement of any article or commodity in commerce, by robbery or extortion or attempts or conspires so to do, or commits or threatens physical violence to any person or property in furtherance of a plan or purpose to do anything in violation of this section shall be fined under this title or imprisoned not more than twenty years, or both. The Supreme Court has stated that the Hobbs Act "speaks in broad language, manifesting a purpose to use all the constitutional power Congress has to punish interference with interstate commerce by extortion, robbery or physical violence",  (Stirone v. United States, 361 U.S. 212, 215, 80 S.Ct. 270, 4 L.Ed.2d 252 (1960)). The Court previosly concluded that: [E]ven if none of the [defendants'] overt acts had occurred in this country ... Congress could give the district court jurisdiction under the commerce clause so long as [the defendants'] activities affected [the victim's] commercial ventures in interstate commerce within the United States. (ref Stirone v. United States, 361 U.S. 212, 215, 80 S.Ct. 270, 272, 4 L.Ed.2d 252 (1960) and United States v. Inigo, 925 F.2d 641, 648 (3d Cir.1991)). The Court stated that based on the foregoing the Hobbs Act encompasses not only all extortionate interference with interstate commerce by means of conduct occurring within the United States, but also outside the United States where commerce is affected within the borders of the United States. It is immaterial whether Ivanov's alleged conduct can be said to have taken place entirely outside the United States, because that conduct clearly constituted "interference with interstate commerce by extortion", Stirone, 361 U.S. at 215, 80 S.Ct. 270, in violation of the Hobbs Act. Consequently, the court has jurisdiction over this charge against him.

    2. 18 U.S.C. § 1030: The Computer Fraud and Abuse Act

    Noting The Computer Fraud and Abuse Act ("CFAA") was amended in 1996 relevant to the issue of extraterritoriality, including a change in the definition of "protected computer" so that it included any computer "which is used in interstate or foreign commerce or communication." The court noted the 1996 amendments also added provisions which explicitly address "interstate or foreign commerce", and add to the definition of "government entity" the clause "any foreign country, and any state, province, municipality or other political subdivision of a foreign country". It is clear Congress intended the CFAA to apply to computers used "in interstate or foreign commerce or communication." While the defendant argues that this language is ambiguous the court disagrees. The Supreme Court has often stated that "a statute ought, upon the whole, to be so construed that, if it can be prevented, no clause, sentence, or word shall be superfluous, void, or insignificant" (Regions Hosp. v. Shalala, 522 U.S. 448, 467, 118 S.Ct. 909, 139 L.Ed.2d 895 (1998)). In order for the word "foreign" to have meaning, and not be superfluous, it must mean something other than "interstate". In other words, "foreign" in this context must mean international. Thus, Congress has clearly manifested its intent to apply § 1030 to computers used either in interstate or in foreign commerce. The court noted the legislative history of the CFAA supports this reading of the plain language of the statute and a Senate Judiciary Committee report explaining its reasons specifically noted its concern that the statute as it existed prior to the 1996 amendments did not cover "computers used in foreign communications or commerce, despite the fact that hackers are often foreign-based."  The Committee cited two specific cases in which foreign-based hackers had infiltrated computer systems in the United States, as examples of the kind of situation the amendments were intended to address: For example, the 1994 intrusion into the Rome Laboratory at Grifess Air Force Base in New York, was perpetrated by a 16-year-old hacker in the United Kingdom. More recently, in March 1996, the Justice Department tracked down a young Argentinean man who had broken into Harvard University's computers from Buenos Aires and used those computers as a staging ground to hack into many other computer sites, including the Defense Department and NASA. It concluded Congress has the power to apply its statutes extraterritorially, and in the case of 18 U.S.C. § 1030, it has clearly manifested its intention to do so.

    3. 18 U.S.C. § 1029: The Access Device Statute

    The court noted Section 1029 of Title 18 of the United States Code provides for the imposition of criminal sanctions on any person who uses, possesses or traffics in a counterfeit access device "if the offense affects interstate or foreign commerce." In addition the court referred to centuries old canon of statutory construction to the effect that a statute should be construed so that no word or phrase is rendered superfluous (Platt v. Union Pac. R.R. Co., 99 U.S. 48, 58, 9 Otto 48, 25 L.Ed. 424 (1878), noting that the "rules of statutory construction declare that a legislature is presumed to have used no superfluous words."). Therefore, based on the same reasoning applied above in the discussion of § 1030, the court concludes that the plain language of § 1029 indicates a congressional intent to apply the statute extraterritorially. The parties agreed at oral argument that the legislative history of 18 U.S.C. § 1029 mirrors that of § 1030. Therefore, the discussion above of the congressional intent behind § 1030 also applies to § 1029. Accordingly, the court finds that this section, too, was intended to apply extraterritorially.

    4. 18 U.S.C. § 371: The Conspiracy Statute

    The Second Circuit has recently noted that where the court has jurisdiction over the underlying substantive criminal counts against a defendant, the court also has jurisdiction over the conspiracy counts. See Kim, 246 F.3d at 191, n. 2. A court may "infer[] the extra-territorial reach of conspiracy statutes on the basis of a finding that the underlying substantive statute reached extra-territorial offenses, even though the conspiracy charges came under separate code sections ...." United States v. Evans, 667 F.Supp. 974, 981 (S.D.N.Y. 1987) (internal quotation marks and citations omitted). See also United States v. Yousef, 927 F.Supp. 673, 682 (S.D.N.Y. 1996) ("Extraterritorial jurisdiction over a conspiracy charge depends on whether extraterritorial jurisdiction exists as to the underlying substantive crime.") Because the court finds that each of the underlying substantive statutes in this case was intended by Congress to apply extraterritorially, it also finds that it has jurisdiction over the conspiracy charge.

    The court concluded for the reasons above there is jurisdiction and denied the defendant's motion.

     

    Sentences

    Sentence

    Term of Imprisonment:
    3 years
     
    Proceeding #2:
  • Stage:
    first trial
  • Is the decision appealable?:
    Yes
  • Official Case Reference:
    U.S. v. Gorshkov, 2001 WL 1024026
  • Court

    • Criminal
    Description:
    Vasiliy Gorshkov had accompanied Ivanov to the United States for the same reason. His related proceedings examined different areas of the law to those examined in the Ivanov case. During the meeting, Gorshkov used an FBI laptop computer to demonstrate (to Invita the fictitious FBI company) his computer hacking and computer security skills. He also accessed his computer system in Russia. After the meeting, both men were arrested. Following the arrest and without Gorshkov's knowledge or consent, the FBI searches and seized the laptop and all the keystrokes made by Gorshkov by means of a sniffer program. The FBI then obtained Gorshkov's username and password that he had used to access the Russian computer. Using the login information, the FBI logged onto Defendant's computer system in Russia and downloaded the file contents of the computer(s) without a warrant. The FBI downloaded and copied the files prior to the warrant being applied for and obtained on December 1, 2000, (ref http://itlaw.wikia.com/wiki/U.S._v._Gorshkov). Gorshkov argued the agents conduct violated his Fourth Amendment rights and certain due process entitlements.  The Court stated that the defendant must meet the two-part test to establish an expectation of privacy:
    • the Defendant must have an actual subjective expectation of privacy; and
    • that expectation is one that society is prepared to recognize as reasonable.
    The Fourth Amendment to the U.S. Constitution guarantees that "the right of the people" to be free from "unreasonable searches and seizures" shall not be violated. In this case the Court held this amendment (unlike, say, the Fifth Amendment) applies only to searches and seizures that are conducted either (i) in the territorial United States or (ii) outside the United States against U.S. citizens. Under this interpretation of the Fourth Amendment, therefore, it does not violate the U.S. Constitution for U.S. law enforcement officers to search and seize property that is located outside the U.S. and that belongs to someone who is not a U.S. citizen.
    (i.e. the protection did not apply to the  "the agents' extraterritorial access to computers in Russia and their copying of data contained thereon). The computers accessed by the agents were located in Russia, as was the data contained on those computers and “Until the copied data was transmitted to the United States, it was outside the territory of this country and not subject to the protections of the Fourth Amendment." The computers accessed by the agents were in Russia, which is outside the territory of the United States and until the copied data was transmitted to the United States, it was also outside the territory of the United States. The act of copying the data on the Russian computers was not a seizure under the Fourth Amendment since it did not interfere with the defendant's (or anyone else's) possessory interest in the data.
    The Court found that the defendant could not have had an actual expectation of privacy in a private computer network belonging to a (fictional FBI) U.S. company, Invita, and a computer that was not his. In addition, the defendant knew that the systems administrator could and likely would monitor his activities over Invita's network. The agents also told defendant that they wanted to watch him and see what he was capable of doing, and they were frequently standing and looking over his shoulder. Moreover, the sole purpose of using the computer was to demonstrate his hacking ability for the Invita personnel to review -“When (the) defendant sat down at the networked computer … he knew that the systems administrator could and likely would monitor his activities”…“Indeed, the undercover agents told (Gorshkov) that they wanted to watch in order to see what he was capable of doing.”
    Procedurally the judge noted that investigators obtained a search warrant before viewing the vast store of data — nearly 250 gigabytes, according to court records. He rejected the argument that the warrant should have been obtained before the data was downloaded, noting that “the agents had good reason to fear that if they did not copy the data, (the) defendant’s co-conspirators would destroy the evidence or make it unavailable.” However criticisms remains in some academic quarters that the initial actions of the FBI was tantamount to a warrantless search.
    The judge also rejected defense arguments that the FBI’s actions “were unreasonable and illegal because they failed to comply with Russian law,” saying that Russian law does not apply to the agents’ actions. However cases such as these raise sovereignty issues and the sides did not agree as to the level of communication for co-operation or assistance sent or received between the two countries in this case.  Highlighting again the transnational effects of cybercrime Russia argued it was injured by the actions of the FBI in accessing its systems for the purposes of the FBI operation and it too charged one of the FBI agents with hacking in violation of Russian law. The Russians in effect charged the agent with doing what Gorshkov and Ivanov had done: gaining access to computers without being authorized to do so.
    Finally it can be noted that the courts did not voluntarily or otherwise deal with any issues of entrapment given that drama had been engineered in a way so as to illicit information voluntarily from the Russians as regards their understanding of what they were doing was illegal. 

    He was found guilty on 20 counts of conspiracy, various computer crimes, and fraud and sentenced to 36 months in prison. In addition he was ordered to pay restitution of nearly $700,000 for the losses he caused to companies such as PayPal, Speakeasy, Nara Bank and Central National Bank.

     

     

    Court

    US District Court, District of Connecticut.

    build 295 2018-10-08T09:42:25.530+02:00