Cybercrime Newsletter March - April 2016
CSA Lists Top 12 Cloud Computing Threats
The Cloud Security Alliance (CSA), a non-profit promoting best practices in cloud computing, listed their “Treacherous 12,” the top 12 cloud computing threats that organizations face in 2016. The list and accompanying research report were developed to serve as a guide to help cloud users and providers make informed decisions about risk mitigation within a cloud strategy. The CSA notes that the on-demand nature of cloud computing introduces the possibility of new security breaches that may erase any gains made by the switch to cloud technology. The report may be accessed at https://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/.
FBI, DoT Warn About Connected Cars
The FBI and the U.S. Department of Transportation (DoT) issued a public service announcement (PSA) warning manufacturers and consumers about the dangers of connected cars, citing vulnerabilities within a cellular phone or tablet connected to the vehicle via USB, Bluetooth or WiFi. The PSA recommended that consumers ensure their vehicle’s software is updated, be careful when modifying the vehicle software and exercise discretion when connecting third-party devices to vehicles. The PSA also provides guidelines on what to do if a consumer suspects their vehicle has been hacked. The press release may be accessed at www.ic3.gov/media/2016/160317.aspx#fn1.
New App to Give California Drivers Real-Time Traffic Data
The California Department of Transportation (Caltrans) entered an agreement with Smartphone app Waze under which Waze will provide Caltrans with real-time traffic data for posting on Caltrans’ Quickmap app and on its website, quickmap.dot.ca.gov. In exchange, Caltrans will provide Waze with information on road closures, construction projects and other conditions that can tie up traffic. The app is free, and drivers can proactively provide information to Waze on such conditions as speed traps, stalled cars or police activity.
US, Canada Issue Joint Ransomware Alert
The U.S. Department of Homeland Security and the Canadian Cyber Incident Response Center issued a rare joint cyber alert warning about the recent surge in ransomware attacks, in which data is encrypted and criminals demand payment for it to be unlocked. The alert offers tips on keeping data safe and advises not to pay in case one gets ransomware. The alert may be accessed at www.us-cert.gov/ncas/alerts/TA16-091A.
NTIA Seeks Comments on IoT
The National Telecommunications and Information Administration (NTIA) is seeking comments on the potential benefits and challenges of Internet of Things (IoT) technologies and what role, if any, the U.S. government should play in this area. After analyzing the comments, NTIA intends to issue a “green paper” identifying key issues impacting deployment of these technologies, highlighting potential benefits and challenges, and identifying possible roles for the federal government in fostering the advancement of IoT technologies in partnership with the private sector. Comments may be submitted by email to email@example.com or in writing to National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Ave., NW, Rm. 4725, Attn: IOT RFC 2016, Washington, DC 20230 by May 23, 2016.
Texas Prisons Cracking Down on Inmates’ Social Media Accounts
The Texas Department of Criminal Justice has established a formal rule prohibiting inmates from possessing social media accounts that are managed for them by friends or relatives, since the prisoners have no Internet access while incarcerated. That rule is now part of the 134-page orientation handbook delivered to each inmate.
In the State Courts
Tweets as Cyberstalking Threat
State v. Kohonen, 2016 Wash. App. LEXIS 162 (Feb. 8, 2016).
A Court of Appeals of Washington reversed, ruling there was insufficient evidence to find Jessica Kohonen, a juvenile, guilty of cyberstalking because a reasonable person in her position would not have foreseen the tweets she sent from her personal Twitter account would be interpreted as a serious expression of an intent to physically harm the alleged victim. The court therefore found the tweets did not constitute a “true threat,” which is required to establish cyberstalking. The case was remanded for the charge to be dismissed with prejudice.
David v. Textor, 41 Fla. L. Weekly D 131 (Fla. App. Jan. 6, 2016).
A Florida Court of Appeals reversed and reinstated a temporary injunction, finding that the trial court erred in denying Alkividades David’s motion to dissolve an ex parte injunction prohibiting him from cyberstalking John Textor. The court found that a reasonable person would not have suffered substantial emotional distress over David’s texts, emails and tweets concerning the parties’ business dispute, and the communications served a legitimate business purpose. The court further found that as David’s online posting simply provided information regarding Textor and the many lawsuits against him, and the injunction prevented not only communications to Textor, but also communications about him, such prohibition by prior restraint violated the First Amendment.
Scope of Search of Registered Sex Offender
State v. Barth, 2016 Iowa App. LEXIS 144 (Feb. 24, 2016).
The Iowa Appeals Court affirmed the trial court’s denial of Adym Barth’s motion to suppress evidence allegedly obtained in violation of his Fourth Amendment rights, finding the scope of the search, to which Barth consented, was limited to Barth’s phone to address the conditions of supervision of Barth, a registered sex offender on parole.
Ed. Note: Assistant Attorneys General Kevin Cmelik and Kelli Huser of the Iowa Attorney General’s Office, represented the State.
Suppression of Photos on Husband’s Cell Phone
State v. McMillion, 23 Neb. App. 687 (Mar. 1, 2016).
The Nebraska Court of Appeals affirmed the judgment of the trial court, finding it properly denied Candice McMillion’s motion to suppress photos found on her husband’s cell phone, as she did not possess an ownership interest in, or dominion and control over, the phone.
Ed. Note: Assistant Attorney General George Love of the Nebraska Attorney General’s Office represented the State.
Privacy Interest in Stored Data
State v. Ladd, 2016 N.C. App. LEXIS 288 (Mar. 15, 2016).
The North Carolina Court of Appeals reversed a lower court decision, finding that where Timothy Ladd had entered a conditional plea to secretly using a photographic device to capture images of another person, his motion to suppress should have been granted because Ladd possessed and retained a reasonable expectation of privacy in the external data storage devices inside his laptop bag. The court further found that Ladd’s privacy interests in the external data storage devices outweighed any safety or inventory interest the officers had in searching the contents of the devices without a warrant.
Ed. Note: Assistant Attorney General Philip Reynolds of the North Carolina Department of Justice represented the State.
Search of Minor’s Cell Phone by School Officials
In re Rafael C., 2016 Cal. App. LEXIS 229 (Mar. 25, 2016).
A California Court of Appeal modified, then affirmed, a lower court decision, finding that a search of the minor’s cell phone was reasonable at its inception because 1) a firearm and its magazine cartridge had been seized from a trash can; 2) the minor lingered outside the office where the student with the gun was detained; and 3) when the minor was questioned after trying to get away, he started fingering the cell phone. The court further ruled that a warrant was not necessary before school officials searched the data on the phone because they were confronted by a situation in which a loaded firearm had been discovered on school property, and they were concerned the minor might be trying to use his cell phone to communicate with students who might possess another firearm or weapon the officials did not know about.
Ed. Note: Supervising Deputy Attorneys General Donna Provenzano and Laurence Sullivan of the California Department of Justice represented the State.
Warrantless Search of Passenger’s Laptop
Minassian v. State, 2016 Tex. App. LEXIS 2814 (Mar. 17, 2016).
A Texas Court of Appeals affirmed a trial court judgment, ruling that Arkadi Minassian lacked standing to challenge the warrantless search of the laptops found in the car in which he was a passenger because he failed to prove a legitimate expectation of privacy in the laptops.
Warrant Requirement for Use of Cell Site Simulator
State v. Andrews, 2016 Md. App. LEXIS 33 (Mar. 30, 2016).
The Maryland Court of Special Appeals affirmed, holding that cell phone users have an objectively reasonable expectation under the Fourth Amendment that their cell phones will not be used as real-time tracking devices through the direct and active interference of law enforcement; therefore, the use of a cell site simulator by the government requires a search warrant based on probable cause which describes with particularity the object and manner of the search. The court found that Kerron Andrews’ Fourth Amendment rights were violated because the pen register application failed to clearly articulate its intended use to track Andrews’ cell phone using an active cell site simulator, and police did not have the searched address as a possible location until the cell phone company provided that information; only after receiving that information and arresting Andrews did officers apply for a search warrant.
In the Federal Courts
Texts Establishing Probable Cause
U.S. v. Paniagua-Garcia, 2015 U.S. App. LEXIS 2800 (7th Cir. Feb. 18, 2016).
The Seventh Circuit Court of Appeals reversed Gregorio Pantiagua-Garcia’s conviction in the U.S. District Court for the Southern District of Indiana, holding the government failed to establish that an officer had probable cause or a reasonable suspicion that Pantiagua=Garcia possessed illegal drugs. The court found there was no evidence of what percentage of drivers sent texts; the officer had not seen any texting; and the mere possibility of unlawful use was not enough to create a reasonable suspicion of a criminal act.
Texts on Victim’s Cell Phone
U.S. v. Gemma, 2016 U.S. App. LEXIS 5852 (1st Cir. Mar. 30, 2016).
The First Circuit Court of Appeals affirmed, finding that the U.S. District Court for the District of Massachusetts did not err in denying Michael Gemma’s motion to suppress text messages found on the victim’s cell phone, where the victim appeared to be a minor, and the phone was obtained from Gemma’s vehicle in the course of the police officer’s community caretaking duties.
Warrantless Search of Probationer’s Cell Phone
U.S. v. Lara, 2016 U.S. App. LEXIS 3995 (9th Cir. Mar. 3, 2016).
The Ninth Circuit Court of Appeals reversed the judgment of the U.S. District Court for the Central District of California, holding that Paulo Lara had a substantial privacy interest in his cell phone and the data it contained, and his probation conditions did not clearly authorize cell phone searches. The court found that although Lara’s privacy interest was somewhat diminished by his status as a probationer, the searches were unreasonable, and his acceptance of the probation condition was not sufficient by itself to render the searches lawful.
Spousal Consent to Search Computer
U.S. v. Thomas, 2016 U.S. App. LEXIS 5972 (11th Cir. Apr. 1, 2016).
The Eleventh Circuit Court of Appeals affirmed the judgment of the U.S. District Court for the Middle District of Florida, holding that where Eric Thomas’ wife told police she saw child pornography on their home computer; officers obtained her consent to search it; the husband subsequently revoked consent; and officers found child pornography, suppression was not warranted under the Fourth Amendment because the wife had apparent authority to consent to a forensic search since she had joint access over the computer for most purposes, and the husband did not protect his Internet history from her by maintaining a separate login name and password or by encrypting his files. The court further found the fact that the husband was the primary user of the computer was insufficient to show that his wife lacked the requisite common authority to consent. The court also ruled that the evidence seized from the computer pursuant to the search warrant was admissible under the independent source doctrine.
State Legislative News
Washington Governor Jay Inslee signed a bill governing the use of body cameras into law. The bill, HB 2362, codified as Chapter 163, irequires law enforcement agencies deploying body cameras to establish policies regarding their use and requires them to retain body camera recordings for at least 60 days. The law becomes effective on June 9, 2016.
The New Jersey Senate unanimously passed a bill banning “upskirting.” The bill, AB 156, prohibits secretly photographing or recording underneath another person’s clothing, and had been passed by the Assembly in February. The bill makes the photographing a crime of the third degree punishable by imprisonment for up to 18 months, a fine of up to $10,000, or both; disclosing such a photograph is a crime of the third degree punishable by imprisonment of three to five years, a fine of up to $15,000, or both. It also authorizes civil actions by victims for monetary and equitable relief. The bill, which would become effective on July 1, 2016 if enacted, was previously passed by the Assembly.
Alaska Senate Votes to Relax Penalty for Texting While Driving. SB 123 makes the penalty for such texting a $500 fine instead of a misdemeanor. The fine can be paid without a court appearance. SB 123, however, does not change the penalty for texting while driving that leads to a car accident injury or death, which still remains a felony. The bill has been sent to the House for consideration.
California Assembly Committee Holds Decryption Bill. The Privacy and Consumer Protection Committee held without recommendation AB 1681, a bill that would have authorized $2500 penalties against smartphone manufacturers and operating system providers if they did not obey state court orders to decrypt the phones.
Oklahoma Senate Passes Bill on Internet Sales Taxes. HB 2531 would require out of state companies selling to state residents to send their customers a yearly statement noting the dollar amount of purchases and the fact that they may owe state tax.
Wisconsin Governor Scott Walker Signs Bill on Subpoenas in Child Pornography Cases. SB 546 gives the Attorney General the power to issue subpoenas without judicial approval in order to request ISPs to provide the names and addresses of computer users accessing child pornography.
Federal Legislative News
The House passed HR 699, a bill sponsored by Representative Kevin Yoder (R-KS), which would amend the Electronic Communications Privacy Act (ECPA) to require the government to obtain a warrant before requiring providers to disclose the content of emails, regardless of how long the communication has been held in electronic storage. The bill has been sent to the Senate.
The House Passed HR 2666, a bill sponsored by Representative Adam Kinzinger (R-IL) which would prohibit the Federal Communications Commission (FCC) from regulating the rates charged for broadband Internet access. The bill has been sent to the Senate.
Cybercrime Initiatives in the Attorney General Community
Alabama Attorney General Luther Strange announced that fantasy sports operators DraftKings and FanDuel have each entered into an agreement with the State to cease operations in Alabama. The companies must also process requests from Alabama IP addresses to withdraw their account balances within seven days.
Arizona Attorney General Mark Brnovich announced a state grand jury indicted four individuals in connection with a Craigslist employment and credit card scam.
Special Agent Annalisa Madsen of the Special Investigation Section investigated the case, which is being prosecuted by Assistant Attorney General Andy Kvesic.
California Attorney General Kamala Harris announced preliminary approval of settlements resolving allegations that LG, Hitachi, Panasonic, Toshiba and Samsung fixed prices on critical components of computer monitors and televisions. The settlements include a requirement that the companies pay back the illegally obtained profits to those affected.
Delaware Attorney General Matthew Denn announced that the Delaware Child Predator Task Force arrested Joshua Rutherford, a former high school teacher, for attempting to solicit a minor female. Search warrants were executed at Rutherford’s home and on his vehicle, and numerous electronic devices were seized.
Florida Attorney General Pam Bondi’s Office announced an agreement with legal publishers Juris Publishing, Inc. and Jurisnet, LLC regarding their use of negative option marketing in advertising, selling and distributing print, electronic and CD publications. The agreement includes a requirement that the companies offer a refund to each consumer who paid for an automatic shipment.
Idaho Attorney General Lawrence Wasden’s investigators arrested and charged Dustin Penrod with distributing child pornography. The Cassia County Sheriff’s Department and Prosecutor’s Office assisted with the case, which was based on a tip from the National Center for Missing and Exploited Children (NCMEC).
Illinois Attorney General Lisa Madigan’s investigators arrested and charged Patrick Daigle with disseminating child pornography. The Winnebogo County Sheriff’s Office and State’s Attorney’s Office assisted investigators in the search of Daigle’s residence.
Iowa Attorney General Tom Miller’s Consumer Protection Division announced that Internet marketing training company Brookwater Ventures LLC, d/b/a Brook Water Ventures, based in Nevada, and its owner, Clay Taylor, will make refunds to Iowa consumers who signed contracts for unusable training programs. The company is also prohibited from soliciting Iowans for its programs.
Kentucky Attorney General Andy Beshear’s Department of Criminal Investigations announced that Cary Pembleton was sentenced to 18 years in prison for possessing 270,00 child pornography images. Pembleton will also be required to register as a sex offender and complete a sex offender treatment program.
Louisiana Attorney General Jeff Landry announced that Melvin Newman was arrested on 500 counts of possession, and five counts of distribution, of child pornography. The arrest resulted from a joint investigation with the New Orleans Police Department Child Abuse Unit, State Police Special Victims Unit and Homeland Security Investigations.
Massachusetts Attorney General Maura Healey announced that Jeffrey Duncan pleaded guilty and was sentenced to three years in state prison for possession of child pornography and failure to provide notice of change of address as a sex offender. The case was prosecuted by Assistant Attorney General Megan McLaughlin of the Enterprise, Mayor and Cyber Crime Division and was investigated by State Police assigned to the Attorney General’s Office and the Digital Evidence lab, with assistance from the Springfield Police Department.
Mississippi Attorney General Jim Hood announced that the Fifth Circuit Court of Appeals vacated the lower court’s injunction enjoining him from enforcing a civil investigative demand (CID) to Google, Inc. and remanded the case with instructions to dismiss Google’s lawsuit. The case involves Google’s platforms, advertising practices and knowledge of and efforts to police illegal content.
Acting New Jersey Attorney General Robert Lougy announced that 18 defendants were arrested in a joint state and federal operation targeting offenders who use an online file-sharing network to download and distribute child pornography. The arrests were part of “Operation Safeguard,” a joint initiative by the New Jersey Division of Criminal Justice and ICE Homeland Security Investigations.
New Mexico Attorney General Hector Balderas’ Community Outreach Division held a cyber safety training in Clayton, Albuquerque and Santa Fe.
New York Attorney General Eric Schneiderman announced that Fantasy sports operators FanDuel Inc. and DraftKings Inc. agreed to shut down in the State, as part of an agreement with his office. An appeals hearing is scheduled for September.
Ohio Attorney General Mike DeWine filed suit against Autos Direct Online for failing to deliver certificates of title. The suit seeks reimbursement to the Title Defect Rescission Fund.
Oklahoma Attorney General Scott Pruitt filed felony charges against Joel Joplin, who allegedly used his cell phone and Facebook Messenger app to repeatedly contact and solicit an underage girl. The Multicounty Grand Jury Unit prosecuted the case.
Pennsylvania Attorney General Kathleen Kane’s Child Predator Section arrested Salvatore D’Ambra for online distribution of child pornography. The West York Borough and Washington Township Police Departments assisted with the case, which will be prosecuted by Senior Deputy Attorney General Christopher Jones of the Section.
Texas Attorney General Ken Paxton reached an agreement with online daily sports fantasy company FanDuel in which the company will stop accepting paid entries for its games in Texas. This follows the Attorney General’s opinion that fantasy sports are not skills based as the companies contend.
Vermont Attorney General William Sorrell announced that Matthew Cook was sentenced to three to 10 years imprisonment, all suspended, and placed on probation after pleading guilty to possession of child pornography. Cook will also be required to complete sex offender treatment, register as a sec offender and have limited access to the Internet and children under the age of 16.
Washington Attorney General Bob Ferguson’s Office entered into an agreement under which Benjamin Rogovy and his company, Christian Prayer Center, will pay back as much as $7,750,000 to consumers for engaging in systematic deception, including the creation of fake religious leaders and posting false testimonials to entice consumers to pay for prayers. Assistant Attorney General Dan Davies was the lead on the case.
Hedda Litwin is the Editor of the Cybercrime Newsletter and may be reached at 202-326-6022. The Cybercrime Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material. For content submissions or to contact the editor directly, please e-mail firstname.lastname@example.org.