This is the last Cybercrime post…maybe ever. I’ve not really gotten any feedback on the previous posts other than the fact that April was a record-breaking month. I wrote a trademarks post in April too, so I don’t know if that provided any sort of bump. As I write this on May 2, we are on pace to almost double our record-breaking April, so maybe that’s something. The fall schedule was supposed to come out yesterday, but it still hasn’t come out. Once I pick classes for the fall, I’ll let everyone know what they can expect on the blog come fall. As for the summer, well, I have 8 drafts in the works, so I suspect I’ll get those out the door. I haven’t thought about a summer theme though. I am up for suggestions.
As to this final Cybercrime post for the semester, our reading actually covered stalking and harassment as well as identity theft. If anyone is interested in an article on those topics, please let me know. For now I am going to sum it up with stalking and harassment are bad, mmkay?
Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028
Identity Theft Penalty Enhancement Act, 18 U.S.C. § 1028A
Fraud and Related Activity in Connection With Access Devices, 18 U.S.C. § 1029
Incidentally, identity theft is also bad; you know, if that wasn’t clear from the whole cybercrime motif. Even if some things that are crimes shouldn’t be, like say, violating a contract, they are still bad if you do them and get caught before the EFF and others can convince people to change the laws (and violating a contract is always going to be subject to civil penalties, so it’s just something you shouldn’t do). So, don’t steal people’s identities. I feel pretty confident with that advice, even though I am not a lawyer, but you know, consult an attorney if you have question.
Identity Theft and Assumption Deterrence Act
Sitting down to write this post, I realized that I had a lot less to say than usual. I thought, perhaps, I was just exhausted from finals (I am) and just couldn’t think of anything. However, in a moment of clarity, it occurred to me that we read no case law on the topic of identity theft. We focused exclusively on stalking and harassment. Because of that, there are no judges interpreting the statute in crazy ways. Crazy judges make for easy commentary.
Identity theft prevention and security generally I think are going to be reoccurring topics on OSP, so I think looking at the federal statute can provide important background information, even if this post is going to be on the dry side.
It turns out there are 1799 words (according to LibreOffice) in this section of Title 18, so obviously commenting on all of it would lead to a pretty long article. Since the definitions cover both 1028 and 1028A, I’ll reproduce the definitions here for your perusal.
(d) In this section and section 1028A—
(1) the term “authentication feature” means any hologram, watermark, certification, symbol, code, image, sequence of numbers or letters, or other feature that either individually or in combination with another feature is used by the issuing authority on an identification document, document-making implement, or means of identification to determine if the document is counterfeit, altered, or otherwise falsified;
(2) the term “document-making implement” means any implement, impression, template, computer file, computer disc, electronic device, or computer hardware or software, that is specifically configured or primarily used for making an identification document, a false identification document, or another document-making implement;
(3) the term “identification document” means a document made or issued by or under the authority of the United States Government, a State, political subdivision of a State, a sponsoring entity of an event designated as a special event of national significance, a foreign government, political subdivision of a foreign government, an international governmental or an international quasi-governmental organization which, when completed with information concerning a particular individual, is of a type intended or commonly accepted for the purpose of identification of individuals;
(4) the term “false identification document” means a document of a type intended or commonly accepted for the purposes of identification of individuals that—
(A) is not issued by or under the authority of a governmental entity or was issued under the authority of a governmental entity but was subsequently altered for purposes of deceit; and
(B) appears to be issued by or under the authority of the United States Government, a State, a political subdivision of a State, a sponsoring entity of an event designated by the President as a special event of national significance, a foreign government, a political subdivision of a foreign government, or an international governmental or quasi-governmental organization;
(5) the term “false authentication feature” means an authentication feature that—
(A) is genuine in origin, but, without the authorization of the issuing authority, has been tampered with or altered for purposes of deceit;
(B) is genuine, but has been distributed, or is intended for distribution, without the authorization of the issuing authority and not in connection with a lawfully made identification document, document-making implement, or means of identification to which such authentication feature is intended to be affixed or embedded by the respective issuing authority; or
(C) appears to be genuine, but is not;
(6) the term “issuing authority”—
(A) means any governmental entity or agency that is authorized to issue identification documents, means of identification, or authentication features; and
(B) includes the United States Government, a State, a political subdivision of a State, a sponsoring entity of an event designated by the President as a special event of national significance, a foreign government, a political subdivision of a foreign government, or an international government or quasi-governmental organization;
(7) the term “means of identification” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any—
(A) name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
(B) unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(C) unique electronic identification number, address, or routing code; or
(D) telecommunication identifying information or access device (as defined in section 1029 (e));
(8) the term “personal identification card” means an identification document issued by a State or local government solely for the purpose of identification;
(9) the term “produce” includes alter, authenticate, or assemble;
(10) the term “transfer” includes selecting an identification document, false identification document, or document-making implement and placing or directing the placement of such identification document, false identification document, or document-making implement on an online location where it is available to others;
(11) the term “State” includes any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession, or territory of the United States; and
(12) the term “traffic” means—
(A) to transport, transfer, or otherwise dispose of, to another, as consideration for anything of value; or
(B) to make or obtain control of with intent to so transport, transfer, or otherwise dispose of.
One thing I will note is that issuing authorities include other countries, so faking a French passport or something of that nature is going to be a crime.
That finally got me thinking…what if you want to make a movie that include made up individuals and the plot requires identification? According to (a)(1) it is a crime to
knowingly and without lawful authority produces an identification document, authentication feature, or a false identification document;
It’s possible that a First Amendment challenge might work, but this is definitely something on which I would need to do more research. If anyone is curious, let me know and maybe I can do the research this summer!
Identity Theft Penalty Enhancement Act
This shows up in Title 18 as “aggravated identity theft” and that may be more descriptive, as long as you know what “aggravated” means in the law. Basically, if you do bad stuff while impersonating someone else, there are enhanced penalties.
My only real thought about this is that I’d be curious how this interacts with the CFAA. Is sharing a Netflix password identity theft? It is certainly a violation of the Netflix TOS, and thus a violation of the CFAA.
Based on the definition of “means of identification” reproduced above, I suspect it is. Even if sharing a password doesn’t fall into the definitions of (C) and (D), which I suspect it might, the “including” language means that the specified means of identification are not the only possible means of communication.
And, if you do decide to share a password with someone, make sure it’s not a password you reuse for other services. This probably sounds like common sense, but a lot of people throw common sense out the window once they touch a computer.
Fraud and Related Activity in Connection With Access Devices
I always wonder about statutes like this. Fraud is fraud, right? The statute has been cited 8435 times according to Westlaw, so I guess there’s something in there. This statute goes through sub-section (h), so I can only cover a little bit of the act, but let’s see what we’ve got.
Those citations break down like this:
Administrative Decisions & Guidance: 155
Secondary Sources: 540
Appellate Court Documents: 2,744
Trial Court Documents: 3,154
As it turns out, one of those cases is a SCOTUS case. That case primarily is about 18 U.S.C. § 3583, which brings up a good point. Whenever we discuss statutes on the blog, there may be other statutes that supersede in certain contexts. This is one of the problems with the US criminal code. We are discussing §3583. How is anyone expected to know that many provisions? I’ve been through two years of law school and I’ve barely touched the criminal code. Granted, that has largely been my choice. The school offers 12 criminal classes. Of course, there are other criminal classes out there that UNH doesn’t offer. For example, Vermont offers a course in wildlife crimes.
Of course, the numbers are a bit misleading. There are gaps, but Title 18 also goes up to §6005, so it’s not like §3583 is close to the end.
Obviously with so many cases and secondary sources, there is a lot to be said about fraud and cybercrime. However, I’m currently at 1850+ words, so it’s probably time for you to rest your eyes.
Now that I’m done with my planned Cybercrime series, I must decide how to spend the rest of my scheduled time studying for my Cybercrime final. I may decide to bring you more articles. I may decide to study for my tax final instead. Man, tax is a beast. I’ve already started an article on the tax consequences of free software, but we’ll see when I’m able to get that out.
Get in Touch
I’m on too many social networks to list them all!
Help Doug get through law school! Buy him a book or food!
You can also donate directly to our hosting cost.