Cybercrime Newsletter July - Aug 2016
The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with cyber-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.
Cyberspace Law Developments
IT Security Firm Lists Top Security Predictions
IT security firm Garter posted its top security predictions for the next four years, including: 1) 99 percent of vulnerabilities will be known by security professionals for at least one year; 2) one-third of successful attacks will be on shadow IT resources; 3) 80 percent of cloud-based security products will be packaged with firewall platforms; 4) use of passwords in medium risk cases will drop by 55 percent due to recognition technologies; 5) more than 50 percent of IoT device makers will be unable to address threats from weak authentication; 6) more than 25 percent of identified attacks will involve IoT. The full list may be accessed at http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/.
European Commission Strengthens Controls on Bitcoin, Pre-Paid Cards
The European Commission’s executive branch adopted changes to the Fourth Anti-Money Laundering Directive, resulting in tighter controls on Bitcoin exchanges and pre-paid cards, in an effort to stop financial crime and terrorism funding. Under the adopted changes, virtual currency exchanges serving Europe must perform stricter identification checks on customers swapping fiat for new digital currencies, such as Bitcoin. In addition, the threshold for identification for pre-paid cards was lowered from 250 to 150 euros, with increased customer verification requirements.
$70 Million of Bitcoin Stolen From Hong Kong Exchange
Nearly $70 million worth of virtual currency Bitcoin was stolen from Hong Kong exchange Bitfinex, causing the exchange to halt trading and shut down its website. The exchange confirmed that hackers bypassed withdrawal restrictions and sent 119,756 units of bitcoin to multiple bitcoin wallet addresses. The breach was limited to bitcoin wallets, and other digital tokens traded on the exchange were not affected. As Bitfinex accounts for individual customer losses, it may have to settle open margin positions, associated financing or collateral affected by the breach, with any settlements at current market prices.
FBI Posts “Cyber’s Most Wanted” List
The FBI has posted its “Cyber’s Most Wanted” list of 26 cybercriminals, including the “Iranian DDoS attackers,” a group of seven Iranian nationals wanted for their involvement in conspiracies to conduct coordinated distributed denial-of-service (DDoS) attacks against the financial sector and other U.S. companies. The list also includes Evgeniy Bogachev, a Russian involved in the scheme that loaded the notorious software Zeus on victims’ computers to capture bank account numbers, and Joshua Aaron, charged with manipulating the price and volume of traded shares of stock. The complete list may be accessed at https://www.fbi.gov/wanted/cyber.
Daily Fantasy Sports Co. Starts Rebranding Effort
Daily fantasy sports company FanDuel Inc. announced it will offer a season-long contest as part of an overall branding effort featuring a new color scheme and logo. The company also published a “user bill of rights” promising that its contests will be on a level playing field, that user funds will be segregated and that sophisticated users will be identified so others will know about them. Their bill of rights may be accessed at https://www.fanduel.com/bill-of-rights.
Efforts Directed to Protect Elderly From Degrading on Social Media
The Centers for Medicare & Medicaid Services sent a letter to state nursing home inspection agencies directing them to begin scrutinizing efforts by nursing homes to protect elderly residents from being degraded on social media by staff members, an initiative prompted by a multitude of recent disturbing posts. The letter instructs the agencies to start examining nursing home policies on social media within 30 days as part of broader inspections in enforcing Medicare & Medicaid standards.
Recent State Court Decisions
Consent to Search Cell Phone
Commonwealth v. Jennings, 2016 Ky. LEXIS 247 (June 18, 2016).
The Kentucky Supreme Court held that the trial court properly denied Iris Jennings’ motion to suppress evidence found on her cell phone, as her consent did not expressly limit the search to the phone’s contact directory listing. The court found it was objectively reasonable for the detective to look for Jennings’ boyfriend’s phone number in other places, including text messages, and any overreach that occurred when the detective clicked on a photo identified as “my man” did not produce the evidence Jennings sought to suppress. Affirmed in part; reversed and remanded in part on other issues.
Ed. Note: Assistant Attorney General Courtney Hightower represented the Commonwealth.
Failure to Move to Suppress Cell Phone Evidence
State v. Speelman, 2O16 Ohio App. LEXIS 2272 (June 9, 2016).
An Ohio Court of Appeals affirmed a trial court judgment, ruling that his counsel’s failure to file a motion to suppress evidence from Nathaniel Speelman’s cell phone did not constitute ineffective assistance of counsel because the police had already viewed the video sent from Speelman’s cell phone and had possession of it via the recipient’s cell phone, so a suppression motion would not have been successful. The court further found that Speelman was not prejudiced by the seizure of his cell phone, and his relinquishment of the passcode to unlock the phone was a tacit consent to its seizure.
Probable Cause to Search Cell Phone
State v. Crippen, 2016 Del. Super. LEXIS 265 (June 15, 2016).
A Delaware Superior court denied Jeffrey Crippen’s motion to suppress two search warrants targeting Crippen’s residence and electronically stored data from his cell phone, finding that the four corners of the affidavits in support of the warrants provided sufficient details to establish probable cause.
Loss of Privacy Interest Under Abandonment Doctrine
State v. Samalia, 2016 Wash. LEXIS 837 (July 28, 2016).
The Washington Supreme Court affirmed the lower court decision, finding that although Adrian Samalia had a protected privacy interest in the cell phone and its data in the stolen vehicle at the time of the lawful traffic stop, he abandoned that interest when he voluntarily left the cell phone in the vehicle while fleeing from the stop. The court further found that citizens may lose their constitutional protections in a private affair under the abandonment doctrine, which applies to cell phones.
Unconstitutionality of Cyberbullying Statute
State v. Bishop, 2016 N.C. LEXIS 440 (June 10, 2016)
The North Carolina Supreme Court ireversed, finding the court of appeals erred in upholding Robert Bishop’s conviction for cyberbullying because the statute violated the First Amendment. The court held the statute, N.C. Gen. Stat. § 14-458.1(a)(1)(d) (2015), restricted speech, and the statute was not narrowly tailored to the State’s asserted interest in protecting children from the harms of online bullying, finding that it was not clear that teenagers required protection via the criminal law from online annoyance.
Ed. Note: Assistant Attorney General Kimberly Callahan represented the State.
Text Messages Encouraging Suicide
Commonwealth v. Carter, 474 Mass. 624 (July 1, 2016).
The Massachusetts Supreme Court affirmed, finding the juvenile court properly refused to dismiss an indictment under the juvenile offender statute. The court agreed the evidence that Michelle Carter sent her boyfriend text messages encouraging him to kill himself, instructing him as to when and how to do so, assuaging his concerns and chastising him when he delayed established probable cause to warrant an indictment for involuntary manslaughter. The court ruled the juvenile’s speech was not protected under the First Amendment because the Commonwealth had a compelling interest in deterring speech that had a direct, causal link to a specific victim’s suicide.
Recording Phone Calls From Jail
State v. Willis, 2016 Tenn. LEXIS 405 (July 6, 2016).
The Tennessee Supreme Court affirmed, finding that the admission of incriminating statements Howard Willis made to his ex-wife did not violate his Sixth Amendment rights because by placing the calls to her with full knowledge they were subject to monitoring and recording by the jail, Willis voluntarily and knowingly waived his rights.
Ed. Note: The State was represented on appeal by Solicitor General Andree Blumstein and Senior Counsel James Gaylord of the Tennessee Attorney General’s Office.
Video Voyeurism “Not in Plain View”
State v. Panek, 166 Conn. App. 613 (July 5, 2016).
The Connecticut Appellate Court affirmed, finding the lower court’s dismissal of three consolidated informations charging John Panek with violating the video voyeurism statute was proper because, under the language of the statute, the perspective from which the “not in plain view” element of voyeurism must be evaluated was that of Panek, not that of the general public. Further, the court found that because the statute concerned conduct involving two persons, it must logically be Panek as to whom the complainant was not in plain view when her image was recorded.
Expectation of Privacy in Non-Content Cell Phone Information
State v. Hill, 2016 Ga. App. LEXIS 432 (July 13, 2016).
A Georgia appeals court reversed the judgment in a misdemeanor theft of services case in which Brandon Hill fled without paying a taxi fare, but left his cell phone in the back of the taxi, finding the trial court erred in granting Hill’s motion to suppress as there was no search under the Fourth Amendment because the officer did not access any information from within the phone, but instead sent Hill’s telephone number to the 911 dispatcher when he placed an emergency call from the phone, and Hill had no reasonable expectation of privacy in the cell phone information regarding his name, date of birth and phone number.
Electronic Search Probation Condition for Minor
In re J.E., 2016 Cal. App. LEXIS 602 (July 20, 2016).
A California appellate court affirmed a lower court order, finding it was proper to impose an electronic search probation condition on a minor, even though it was not related to the minor’s burglary offense, because it was reasonably related to deterring future criminality in that it allowed probation officers to monitor the minor’s adherence to drug and other conditions. The court ruled that although the minor’s right to privacy was implicated, the search condition was not overbroad because the minor had numerous and fairly severe circumstances and needs as he was chronically truant, had a difficult family life and had a significant drug and alcohol problem.
Deputy Attorney General Hanna Chung represented the People.
Requirements for Access to Telephone Billing Records
State v. Lunsford, 2016 N.J. LEXIS 717 (Aug. 1, 2016).
The New Jersey Supreme Court affirmed the lower court judgment, ruling that telephone billing records are entitled to protection from government access because they reveal details of one’s private affairs that are similar to what bank and credit card records disclose, and those areas of information should receive the same level of constitutional protection and be available based on a showing of relevance. The court held that direct judicial oversight of the process is required to guard against the possibility of abuse, and to obtain a court order requiring production of those records, the State must present specific and articulable facts to demonstrate that the records are relevant and material to an ongoing criminal investigation.
Ed. Note: Assistant Attorney General Ronald Susswein of the New Jersey Attorney General’s Office argued the case for the State; Deputy Attorneys General Claudia Demetro, Ian Kennedy and Jane Schuster participated on the brief.
Overbroad Search Warrant
State v. Mansor, 275 Ore. App. 778 (July 27, 2016).
The Oregon Court of Appeals reversed the lower court decision, ruling the search warrant in a prosecution into the death of Kaliq Mansor’s infant son was impermissibly overbroad, rendering the search of Mansor’s computers unlawful because the warrant permitted a temporarily unlimited examination of the contents of Mansor’s computers, including files and functions unrelated to Internet searches and emails. The court also found that for purposes of the particularity requirement, personal electronic devices are more akin to the “place” to be searched than to the “thing” to be seized and examined, so the search of that place must be limited to the digital data for which there is probable cause to search.
Ed. Note: Assistant Attorney General Peenish Shah of the Oregon Attorney General’s Office argued the case for the State; Solicitor General Anna Joyce joined on the brief.
Recent Federal Court Decisions
Predator’s Knowledge of Minor’s Age
U.S. v. Henry, no. 15-1523 (1st Cir. June 17, 2016).
The First Circuit Court of Appeals affirmed the decision of the U.S. District Court for the District of Maine, finding that 18 U.S.C.S. § 2251(a) on sexual exploitation of a minor does not require that a person convicted of violating it needs to know the actual age of the minor.
Fourth Amendment Applicability to NCMEC
U.S. v. Ackerman, 2016 U.S. App. LEXIS 14411 (10th Cir. Aug. 5, 2016).
The Tenth Circuit Court of Appeals reversed the U.S. District Court for the District of Kansas’ denial of the motion to suppress, ruling that the National Center for Missing and Exploited Children (NCMEC) qualified as a government entity to which the Fourth Amendment applied. The court found that NCMEC’s review of Walter Ackerman’s emails constituted a search within the meaning of the Fourth Amendment so that a warrant or an exception to the warrant requirement was required.
Recent Legislative Action
On July 7, 2016, the U.S. House passed H.R. 5485, an appropriations bill that would block funding for the implementation of net neutrality under the Federal Communication Commission’s (FCC’s) Open Internet Order until three separate court cases contesting the rule have exhausted their appeals. It would also prohibit broadband rate regulation and table the FCC’s set-top box proposal. The bill has been forwarded to the Senate.
Cybercrime Initiatives in the Attorney General Community
Alabama Attorney General Luther Strange announced that a circuit court had ruled for the State in an electronic bingo case, granting the State’s Petition for Forfeiture and Condemnation of $191,249.11 in currency and illegal gambling machines seized from Frontier Bingo. Assistant Attorneys General John Kachelman and Bill Lisenby of the Criminal Trials Division handled the case, which was investigated by Investigations Division special agents.
California Attorney General Kamala Harris’ Bureau of Children’s Justice and the False Claims Unit reached a settlement with K12 Inc., a for-profit online charter school operator, and the California Virtual Academies (“CAVA” Schools), a group of 14 affiliated non-profit schools that it manages, over allegations that the schools misled parents as to students’ academic progress, parental satisfaction, class size and eligibility for higher learning. The Attorney General’s Office also alleged that the schools submitted inflated attendance numbers to collect additional funds and that the nonprofits had been urged to enter unfavorable contracts that resulted in financial problems. Under the settlement, which is subject to court approval, K12 will provide $160 million of debt relief to the non-profits and $8.5 million to settle all claims. K12 also agreed to implement reforms in its contracts with the non-profits, undergo independent reviews of its services for students with disabilities, ensure the accuracy of its ads and train teachers to prevent improper attendance records.
Delaware Attorney General Matthew Denn formally notified DraftKings, Inc., FanDuel, Inc. and Yahoo Inc. that their respective online fantasy sports activities are not permitted under State law, and asked that the companies add Delaware to their lists of states in which players are not legally permitted to win monetary prizes.
Florida Attorney General Pam Bondi and the Federal Trade Commission announced a settlement with PC Cleaner, Inc., Netcom3 Global, Inc., Netcom3, Inc. and Cashier Myricks, the principal of all three companies, on allegations the defendants deceptively marketed computer software and tech support services. Under the settlement, defendants are prohibited from misrepresenting they identified issues that could affect users’ computer security; misrepresenting their goods and services; and using misleading statements to induce consumers to buy. Defendants also agreed to a judgment of more than $29 million, with $258,000 to be paid and the balance of the judgment suspended.
Hawaii Attorney General Doug Chin announced that the State circuit court ruled that online travel companies, including Expedia, Priceline, Travelocity, Orbitz and Hotwire, must pay the State general excise tax on certain rental car transactions. The court also upheld tax assessments on gross receipts from online travel car rentals not sold as part of a travel or tour package with other services such as airline or hotel reservations. Further, the court ruled that under a special provision in the general excise tax law for tourism related services, the companies owe general excise taxes on net receipts from car rental transactions that were included in a travel or tour package.
Illinois Attorney General Lisa Madigan announced that Christopher Cook was sentenced to 40 years in prison after pleading guilty to two counts of distribution of child pornography. The sentence will run consecutive to a four-year sentence Cook is serving after being convicted of possession of child pornography.
Kentucky Attorney General Andy Beshear’s Cyber Crimes Unit arrested and charged James Cayton, an MP at Fort Knox, with online solicitation of a minor, a Class D felony, after he was indicted by a grand jury. Cayton was actually soliciting an undercover investigator’s persona. The Franklin County Sheriff’s Department and the U.S. Army CID assisted in locating Cayton.
Louisiana Attorney General Jeff Landry’s Cyber Crime Unit arrested Telesforo Lopez-Silva, an illegal immigrant, on three counts of possession of child pornography. The arrest resulted from a joint investigation by the Unit, Homeland Security Investigations and the Sulphur Police Department. Immigration and Customs Enforcement has placed Lopez-Silva on detainer.
Massachusetts Attorney General Maura Healey announced that George Shipps was indicted by a grand jury for possession of child pornography, occurring while he was on probation for a previous violation. The case is being prosecuted by Assistant Attorney General Allyson Portney of the Enterprise, Major and Cyber Crimes Division. It was investigated by State Police assigned to Attorney General Healey’s Office with assistance from the Boston Police Department and the Attorney General’s Digital Evidence Laboratory.
Missouri Attorney General Chris Koster announced that Darran Boston was sentenced to 527 years in prison for 25 counts relating to online exploitation of a minor and one count of possession of child pornography. Assistant Attorney general Ashley Turner prosecuted the case.
Nebraska Attorney General Doug Peterson entered into a settlement with B & B Communications, Inc. and its principals, resolving an investigation into alleged pyramid schemes through websites such as 2x2successteam.com, ffcbridge.com, financialfitnessclub.com, privatemillionairesclub.com, bandbonlineads.com and babdbsuccessclub.com. The settlement requires B & B to comply with multiple assurances regarding conduct, pay $11,000 in restitution to customers and pay $15,000 to the State.
New Jersey Attorney General Christopher Porrino announced that Anthony Ferrer of New York was indicted on charges he used stolen identities to obtain official identification documents from the Motor Vehicle Commission. He allegedly used those documents to obtain new titles for vehicles and concealed liens of more than $239,000 held by lenders that financed the cars. The 43-count indictment includes second-degree counts of conspiracy, official misconduct, computer theft, theft by deception, bribery and use of personal identifying information of another. Deputy Attorney General Michael King of the Specialized Crime Bureau presented the indictment, and Detective Nicholas Olenick and Investigator Ruben Contreras of the Bureau were the lead investigators. The State MVC Security and Investigations Unit and the New York City Police Department assisted in the case.
New York Attorney General Eric Schneiderman entered into settlements with Tristar Products, Inc., based in New Jersey, and Product Trend, LLC, based in Vermont, to resolve allegations of deceptive television and online advertising and sales practices. The settlements require the companies to significantly reform their advertising, ordering and customer service practices. Tristar must also pay $700,000, and Product Trend must pay $175,000, to Attorney General Schneiderman’s Office for restitution, penalties, costs and fees.
North Carolina Attorney General Roy Cooper announced that Mark White, the operator of computer repair shops Raleigh Geeks and Wilmington Geeks, has been ordered to pay $10,425 in refunds to consumers for computer repair work he failed to complete. White must also pay $9,575 to Attorney General Cooper’s Consumer Protection Division for investigative costs.
Texas Attorney General Ken Paxton’s Child Exploitation Unit and the Houston County Sheriff’s Office arrested Alan Brown, Dana Killian and Richard Allred as a result of a sting operation to expose child predators who commit sex crimes against minors solicited through the Internet.
Vermont Attorney General William Sorrell announced that Shawn Ellison was sentenced to seven to 12 years in prison, with all but two years suspended, and 15 years on probation, after pleading guilty to three felony counts of sexual exploitation of a child and one felony count of possession of child pornography. Ellison had been charged pursuant to an investigation by Attorney General Sorrell’s Office, the South Burlington Police Department, the Department of Homeland Security, the State Police and the State Internet Crimes Against Children Task Force. Ellison will be subject to special probation conditions designed for sex offenders and will be required to register as a sex offender.
Washington Attorney General Bob Ferguson filed suit against Comcast Corp., alleging a pattern of illegally deceiving customers by misrepresenting the scope of its Service Protection Plan, charging customers improper service call fees and using improper credit screening tactics. The lawsuit seeks more than $73 million in restitution of Plan subscriber payments; full restitution for all service calls applying improper resolution codes, estimated at $1 million; removal of improper credit checks from the credit reports of more than 6,000 customers; up to $2,000 per violation of the Consumer Protection Act; and broad injunctive relief, including requiring Comcast to clearly disclose the limitations of its Plan.
Wisconsin Attorney General Brad Schuelke’s Office, the Pierce County Sheriff’s Office and the Prescott and Lake Ville, Minnesota Police Departments executed a search warrant at the residence of Grady Riley, who was on parole for possession of child pornography. Riley admitted to having downloaded child pornography since his release from federal prison, and on-scene forensics of Riley’s storage devices identified thousands of child pornography images. The U.S. Attorney’s Office for the Western District of Wisconsin is prosecuting the case.
Ed. Note: The Editor thanks Matthew Joy of the Division of Criminal Investigation for this information.
Hedda Litwin is the Editor of the Cybercrime Newsletter and may be reached at 202-326-6022. The Cybercrime Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material. For content submissions or to contact the editor directly, please e-mail email@example.com.