Cybercrime Newsletter

National Association of Attorneys General August/September 2003

CYBERCRIME NEWSLETTER

Issue 4 August/September 2003

News Highlights in this Issue Table of Contents Information Security Expert is Keynote at NAAG/NCJRL Cybercrime Training Dr. Gene Spafford, Director of CERIAS, speaks on risks to U.S. critical Features ...... 2 infrastructure ...... 2 Security Guru is Cybercrime Training Keynote Identity Theft: Legislative Overview Arkansas, Michigan, Texas Crack Down on Spam Voir Dire in Internet Crimes Against Children Arkansas law requires warning in subject line. Michigan House Bill 4519 allows civil suit by Attorney General. Under Texas law, violators can be fined up to AG Initiatives ...... 9 $25,000/day ...... 14 Arkansas AG Launches Online Safety Program AG Lockyer Breaks Fake Drivers License Ring Online Auction Fraud Stopped by AG Madigan House Passes Permanent Ban on Internet Taxes Iowa AG Sues ISP for Business Records Bill also eliminates “grandfather” clause allowing 10 states to maintain taxes; loss AG Reilly Settles Illegal Lottery Ticket Case estimated at $80-120 billion/year ...... 14 Michigan AG Halts Sham “Anti-Spam” Site Online Seller Sued by AG Nixon Must Pay Computer Emergency Response Center Created AG Harvey Charges Online Seller with Theft Team would coordinate efforts to prevent and respond to cyber attacks. New AG Spitzer Settles Case Against Online Retailer cyber-security chief named ...... 16 Oklahoma AG Charges Online Software Seller AG Fisher Arrests Online Child Predator Online Predator Indicted, Says AG McMaster Missouri to Allow Sex Offender Posting on Internet AG Long Charges Four With Child Pornography Bill signed into law despite constitutional challenge by sex offenders ...... 14 Utah AG’s Task Force Arrests Predator AG Kilgore Marks New Identity Theft Act House, Senate Committee Pass Internet Gambling Bills House bill exempts state regulated transactions; In the Courts ...... 10 tougher Senate bill does not ...... 15 Poster of Third Party E-Mail May Not be Liable Ban on Internet “Explicit” Material Unconstitutional Operation Predator Launched to Track Child Exploiters No Trespass by Ex-Employee Sending E-Mail Initiative will build database of child pornography images to help rescue children Legislation ...... 14 and arrest their exploiters ...... 16 Arkansas, Michigan, Texas Crack Down on Spam Missouri Enacts Sex Offender Posting Law Study Finds Internet Users Misunderstand Web Privacy Policies House Passes Permanent Ban on Internet Taxes Almost 2/3 of users never search for information on protecting privacy ...... 16 Senate Committee Attacks Online Cigarette Sales House Passes Internet Gambling Bill Vermont Ban on Sexually Explicit Materials Distribution Struck Down Violations of First Amendment and Dormant Commerce Clause Found ...... 12 News ...... 16 Computer Emergency Response Center Created Study Predicts U.S. Technology Domination Study: Web Privacy Policies Misunderstood Navy Grant on Military Security Awarded China May Fill Asia’s Technology “Power Vacuum” ...... 16 “Operation Predator” to Protect Children Launched Study Predicts U.S. Tech Domination Plug Pulled on UCITA Internet Gambling Crackdown Causes Complaint Uniform State Laws Body Will Cease Efforts to Encourage States to Enact Study: Song Swappers Blasé About Copyright Standard Software Licensing Statute ...... 17 Plug Pulled on UCITA Supreme Court Oral Arguments Offered in MP3 Format Forensic Software Tool Evaluated National Association of Attorneys General August/September 2003

Information Security Center Director Is Keynote Speaker at NAAG/NCJRL Cybercrime Training

Dr. Eugene Spafford, Specific topics included search warrant preparation and Director of the Center execution; witness interviews and defendant for Education and interrogation; charging decisions and indictment Research in Information considerations; evidentiary issues and admissibility Assurance and Security concerns; pre-trial preparation; presentation of forensic (CERIAS) and testimony; trial techniques and tactics; presenting the Professor of Computer case in chief; and meeting untrue defenses. Science at Purdue Dr. Eugene Spafford addressing Cybercrime University, addressed Attendees were also guests at a welcome Training attendees. 46 prosecutors and dinner, which featured Stewart Baker, noted technology investigators from Attorney General offices throughout attorney and former National Security Agency general the country during the first Advanced Cybercrime counsel, as keynote speaker. Baker also currently serves Training, developed by the National Association of on the President’s Export Council Subcommittee on Attorneys General (NAAG) in partnership with the Export Administration and the Markle Foundation’s Task National Center for Justice and the Rule of Law Force on National Security in the Information Age. He (NCJRL). Dr. Spafford is also a member of the discussed internet service provider-law enforcement President’s Information Technology Advisory Council relations. The training was free for Attorney General and the U.S. Air Force Scientific Advisory Board. The offices, with travel expenses paid under the training was held September 9-11, 2003 at the NAAG/NCJRL Cybercrime Partnership. University of Mississippi School of Law in Oxford, Mississippi. Participants at the training heard Spafford The next Cybercrime Training under the discuss the risks that the United States critical NAAG/NCJRL Partnership will focus on computer- infrastructure faces today with respect to computer specific crimes, including hacking, computer intrusions security. and viruses. It is scheduled for March 2-4, 2004, and attendance will be limited to prosecutors. Attorneys Dr. Spafford’s presentation was followed by General will shortly receive information about the three days of in-depth sessions on the investigation and training, including forms to nominate a prosecutor from prosecution of computer crime, which was their office to attend. For additional information, please accomplished by using an actual computer crime case contact Hedda Litwin, Cybercrime and Violence Against from one of the states. Presentations discussed the Women Counsel, at [email protected] or (202) 326- case in detail from the investigation through the trial. 6022.

2 National Association of Attorneys General August/September 2003

Identity Theft: A Legislative Overview

Marc M. Harrold

Introduction regulators (i.e. FTC); (4) consumers; and (5) the business and financial community.8 While consumer Identity theft is the fastest growing crime in the education is the likely cornerstone of any successful United States.1 While identity theft is not new, long-term identity theft reduction plan, it is outside the technology has effectively allowed criminals to scope of this article, as is the existing infrastructure of streamline their efforts and rapidly expand their victim state and federal law enforcement, the FTC and other base, leading many to call it the “crime of the new governmental agencies currently working to eliminate millennium” and “an epidemic.”2 identity theft and the business and financial community. This article will concentrate on the legislative The Problem approaches to combating identity theft and give an overview of the efforts and approaches, to date, to While identity theft is considered to be one of deal with this ever-increasing and invasive problem. the most under-discovered, and under-reported, crimes in the U.S., the numbers that actually do exist Legislative Overview paint a disturbing picture of the growing nature of this invasive crime.3 Between January and December The federal approach is best exemplified by 2002, the Consumer Sentinel, the Federal Trade the Identity Theft and Assumption Deterrence Act of Commission’s (FTC’s) database to register consumer 1998 amended, 18 U.S.C. § 1028(a)(7).9 The most complaints, received 380,103 consumer fraud and relevant language of the Act provides criminal liability identity theft complaints.4 The aggregate consumer for any person who: loss of these complaints was over $343 million.5 A comparison of the complaints lodged in 2000, 2001 “knowingly transfers or uses, without and 2002 reveal that the overall number of complaints authority, a means of identification of another person registered6 has increased from 139,007 to 380,103, with the intent to commit, or to aid or abet, any and the percentage of identity theft complaints to the unlawful activity that constitutes a violation of Federal overall number of identity theft and fraud complaints law, or that constitutes a felony under any applicable combined has almost doubled from 22 percent to 43 State or local law…” percent.7 This amendment was particularly relevant to Who Must Respond?…and How? the rising trend of identity theft as it criminalizes the theft and misuse of the identification information itself If identity theft is the problem, finding a and not just the theft and misuse of identification solution basically appears to be falling on the shoulders documents. of five major groups: (1) law enforcement (including prosecutors); (2) legislators; (3) existing governmental The Act made numerous other changes to

3 National Association of Attorneys General August/September 2003 existing law that aid in the prosecution of identity theft.10

· The Identity Theft Act amended the penalty states treat identity theft as a graded offense,13 with the provisions of § 1028(b) by extending coverage to classification of the crime and its penalty dependant offenses under the new § 1028(a)(7) and applying upon the value of the “thing” appropriated through the more stringent penalties for identity thefts involving criminal act.14 property of value. · Section § 1028(b)(1)(D) provides for a term of There are several other common features that imprisonment of not more than fifteen years when are reflected in the identity theft statutes passed to an individual commits an offense that involves the date. For instance, in California, identity theft charges transfer or use of one or more means of can only be brought if there is a pecuniary loss identification if, as a result of the offense, anything associated with the identity theft.15 A handful of states of value aggregating $1,000 or more during any have enacted “aggravated” identity theft statutes for one year period is obtained; otherwise, crimes committed against the elderly or the disabled.16 · Section 1028(b)(2)(B) provides for imprisonment Several states have included an “age-based of not more than three years. misrepresentation” exception where the · Section 1028(f) provides that attempts or misappropriation of another’s identity for the purpose conspiracies to violate § 1028 are subject to the of showing age (i.e. purchase of alcohol, etc.) is not same penalties as those prescribed for substantive separately punishable.17 Almost half the states have offenses under § 1028. included a restitution provision in their criminal identity · Section 1028(b)(3) (amended) provides that if the theft statute, and it is mandated upon the perpetrator’s offense is committed to facilitate a drug trafficking conviction in many of these states.18 Additionally, a crime, or in connection with the crime of violence, defendant may be liable for costs, reasonable or is committed by a person previously convicted attorney’s fees and damages in numerous of identity theft, the individual is subject to a term jurisdictions.19 Some states have specific and unique of imprisonment of not more than 20 years. provisions included in their laws related to court · Section 1028(b)(5) (added) provides for the records and findings to aid identity theft victims after forfeiture of any personal property used or the fact. For example, Alabama and Wyoming law intended to be used to commit the offense. require that court records reflect the innocence of a victim of identity theft.20 New Mexico and Utah law Section 1028(d)(1) modifies the earlier require the court to appropriate findings related to the definition of “document-making implement” to include innocence of the identity theft victim in the underlying computers and software specifically configured or crime.21 primarily used for making identity documents.11 Several states have expressly provided identity In the 48 states that have enacted identity theft theft victims with a civil cause of action.22 Of further statutes, it is punishable as a felony in at least 25 assistance to victims, given that it may take months or states.12 The remaining states vary in their treatment of even years to realize that one has been a victim, identity theft. The most common treatment is to Tennessee, Wyoming, and Florida have enacted a classify and “grade” the offense based on the amount “discovery rule” to toll the statute of limitations of pecuniary loss. For example, approximately 22 relevant to the civil claim.23 Jurisdiction is usually an

4 National Association of Attorneys General August/September 2003 issue given the wide geographic nature of identity theft. NOTE FROM THE EDITOR Numerous states have enacted venue provisions that allow charges to be filed in the county where the victim In juxtaposition to the above article, the Federal Trade Commission (FTC) has released its first national 24 resides regardless of the location of the perpetrator. survey on identity theft, finding that about 3.3 million Conclusion American consumers discovered within the past year that their personal data was used to open fraudulent accounts Legislative solutions to the ever-increasing or commit other crimes. The FTC estimates that these cases collectively cost businesses over $32.9 billion and cost “epidemic” of identity theft are challenged by the consumers $3.9 billion. The survey finds that 6.6 million intrinsic nature of the crime itself. The ever-expanding people fell victim to account theft, in which stolen cards or technological-savvy of identity thieves compounds the financial records were used to steal from the victim’s hurdles the legislative and law enforcement community existing accounts. These specific thefts cost businesses $14 billion and cost consumers $1.1 billion. The survey also must overcome. Issues such as jurisdiction and the shows that the consequence of identity theft are more severe frequently lengthy lapse of time before the discovery of and harder to resolve than those of other crimes. The the crime itself are aggravated by the reach of complete report can be accessed at: technology and the increasing reliance that Americans http://www.ftc.gov/os/2003/09/synovatereport.pdf place on the convenience of electronic transactions to manage their busy lives. To date, most efforts to deal with identity theft have taken the form of reactive measures to repair records and credit that have been compromised to the detriment of the consumer. Unfortunately, the burden to right this wrong has clearly been placed on the victim and countless days, months and even years of frustration, coupled with the mental anguish and feeling of personal violation make identity theft a serious and invasive crime that the government, along with the business and financial community, must now address.

Mark Harrold is Senior Research Counsel for the National Center for Justice and the Rule of Law at the University of Mississippi School of Law.

*See footnotes on page 18

5 National Association of Attorneys General August/September 2003

VOIR DIRE IN COMPUTER-FACILITATED CRIMES AGAINST CHILDREN

Susan S. Kreston

“The bottom line is that society condemns child molestation in the abstract, but how it responds to individual cases depends on who the offender is, who the victim is, and whether the case fits their stereotypical ideas.”1

Nowhere are the above words more true victim is a boy, that fact should also be brought out than in computer-facilitated child sexual exploitation immediately, as many jurors will automatically assume cases. As “society” comprises the jury pool from the victim was a girl. If the facts of the crime indicate which prosecutors must select the triers of fact in that the child was a compliant victim (i.e., did not fight these cases, selecting the right jurors is of critical back, did not immediately report the abuse, bonded importance in the process of securing a conviction in with the perpetrator, initiated the contact), the jury must these newest types of crimes against children. be questioned to discern how they feel about this behavior and make certain they understand that this is I. The Underlying Crime. Although not a defense. The law exists not only to protect these cases involve computers, at their core they are children from adults, but also from themselves. child abuse cases and must address all the traditional components of such a case. In luring cases, the first Jurors’ attitudes toward child and adult questions should be about whether the potential juror pornography should be explored in child pornography has children or grandchildren, if those children or cases.. Prosecutors may inquire as to what, if any, grandchildren use the Internet and what type of media coverage of child pornography, or child sexual supervision is provided during those sessions. The exploitation generally, potential jurors have been prosecutor should delve into possible stereotypes exposed and how they feel about that issue. Most surrounding offenders, such as “Does anyone think importantly, the jury must be informed that child like they would recognize the type of person who pornography is not constitutionally protected. engages in sexual conduct with children on sight?” or “Does everyone agree that this type of crime, like II. Computers and Computer most crimes, can be committed by people from all Evidence. This area of questioning will deal with the walks of life?" potential juror’s exposure to and comfort with computers. Questions in this area would cover the In most online luring cases, the victim will be following: whether the person uses a computer; where; a teenager and may have some emotional difficulties how often; and for what purposes. Prosecutors might in testifying. The jury must be made aware of the also ask if the potential juror accesses the Internet, how child being an older child and any problematic issues, often, and for what purposes. Next, the juror’s ability such as recantation or behavioral troubles of the to listen to and understand computer evidence and a victim, must be dealt with as early as possible. If the forensic examiner’s testimony must be assessed. While

1 Kenneth V. Lanning, (2001) Child Molesters: A Behavioral Analysis for Law Enforcement Officers Investigating the Sexual Exploitation of Children by Acquaintance Molesters (4th ed.) OJJDP, p.142.

6 National Association of Attorneys General August/September 2003

making certain that jurors understand that they will be mean that no crime occurred. In child pornography presented with forensic evidence, the technical nature cases, the fact that an image of a child being sexually of these cases should be underplayed to maximize violated was sent to a police officer, rather than jurors’ comfort level at the start of the trial. It also someone else, does not mean that the defendant is not assists in making the point that this is a child abuse guilty. case, not a computer case. The second type of defense is mistaken III. Government Regulation of the identity. This is simply a variation on the traditional Internet. Most jurors will give broad theoretical defenses of “I’ve been framed” or “some other dude support to the concepts behind the First Amendment. did it (‘SODDI’).” As such, voir dire will cover the Prosecutors have to make certain jurors understand types of evidence or factors a potential juror would use that these free speech interests must be in determining identity in any case generally, and then in counterbalanced against the government’s compelling a computer-facilitated case. interest in both protecting children and prohibiting crime. Not all Internet speech is protected, including The third defense occurs when the defendant libel, fraud and child pornography. In fact, the claims that the necessary element of intent is not present government has regulated a variety of mediums for in his case. This may arise in any of the following forms: decades, including television. Prosecutors must make fantasy; good samaritan; accident; mistake of age; or certain jurors understand that prohibiting child deleted images. Questions along the following lines may pornography (and other criminal activity) is not the help identify the jurors best suited to see through these same as regulating constitutionally protected free types of untrue defense: speech. Additionally, if the potential juror has “If two people agreed to the same set of facts children, inquiring into what their practices are or actions as being true (provide an example), but regarding allowing their children access to the Internet offered irreconcilably different explanations for these may speak volumes on their acceptance of regulation facts or actions, how would you decide who was telling as a necessity in protecting children. the truth?”

IV. Diffusing Potential Defenses. “Intent is not a tangible thing - something you can hold in your hand or put up to the light to examine. There are a relatively small number of How do you determine someone’s intent? For consistently raised potential defenses in these cases. example…” The first type of defense is actually an attack on the police and their investigatory methods. Potential bias “Have you ever been on the Internet and had against undercover, pro-active “sting” tactics should a pop-up appear? What type of pop-up was it? What be examined. After asking about jurors’ comfort level did you do?” with these methods, it must be made clear to jurors that not only are these methods legal, but they are “If an individual claimed that something came used to put the officers in harm’s way to block into his or her possession accidentally, how would you offenders who are successfully targeting real children. decide whether that was true? For example…” The fact that there is no “real” victim in a luring case should be addressed, stressing that simply because The fourth defense is loosely termed the “First the police took on the persona of a child does not Amendment” or privilege defense. This occurs where

7 National Association of Attorneys General August/September 2003 defendants admit to possession of child pornography, that the images are completely computer generated, but claim they possess it in furtherance of activity and the State will call its own expert to testify to the protected by the Constitution or a legally viable contrary, additional questions should be asked. These reason. These include the reporter working on a story might include: about child pornography, the medical practitioner who needs it for a book on child sexual abuse, or a “If you hear conflicting testimony from two “photographer” who claims the image isn’t child experts, do you feel comfortable in the role of the pornography but “nude art.” In these cases the decision maker who will resolve this? Do you prosecutor must stress, if applicable, the lack of any understand that if there is a conflict among experts, this such exemption from the child pornography laws for conflict is not the same thing as reasonable doubt. Can people of the defendant’s profession. If the defendant you, as the finder of fact, decide what weight to give has a legitimate purpose for the contraband and the each expert’s testimony?” law allows for such possession, the State may still contend that the defendant was using it for purposes “Do you understand that the testimony of an outside the prescribed exemption. The prosecutor expert can be accepted or rejected, just like that of any must inquire how the juror would decide if the other witness?” defendant had a legitimate purpose. V. Conclusion Finally, a word about the virtual child pornography defense. The recent decision in In addition to the substantive issues and areas Ashcroft v. Free Speech Coalition has resulted in noted above, prosecutors should consider their own the prosecution now having to prove that the image of personality and courtroom persona style when child pornography is of a real child. The prosecution conducting voir dire, as opposed to standing in front of does not, however, have to prove the identity of the a group of strangers and simply asking them questions. child. Questions regarding jurors’ awareness of that Not only is voir dire an opportunity to educate the jury, case and their understanding of it should be it is just as importantly an opportunity to gauge potential scrutinized. Questions that might be asked include: jurors’ attitudes and beliefs about key aspects of these cases. One of the best techniques to get this information “Are you familiar with any court decisions is to ask open ended questions that ask a juror to give regarding pornography? Child pornography? What more than a “yes” or “no” answer. The best voir dire do you understand those decisions to say? What do incorporates personal style with the specific case, the you think of those decisions?” potential jurors, the judge, local rules and practice, and “Have any of you ever heard the term “virtual other external factors, all coming together to yield a child pornography?” What does that term mean to truly conducted and dynamic voir dire. you?” Susan Kreston is Counsel for the National Center for Justice and the Rule of Law and a Visiting Professor at the University of Mississippi School of Law. This article is “As part of its case, the State must prove that written with the assistance of Brad Astrowsky, Technology the images the defendant is charged with and Electronic Crimes Bureau Chief, Maricosa County, possessing/distributing/producing are images of real Arizona Attorney’s Office; Robert Morgester, Deputy children. The State does not have to prove the Attorney General, Special Crimes Unit, Office of the California Attorney General; and Dick Reeve, General identity of any particular child, only that the image is Counsel, Denver District Attorney’s Office. A full list of of a real child. Does everyone understand the State’s potential voir dire questions is available from the author at burden on this point?” [email protected].

If the defense plans to call an expert to testify

8 National Association of Attorneys General August/September 2003

AG Initiatives

ARKANSAS and clearly state whether his products are authentic or Attorney General Mike Beebe toured six reproductions. The case was handled by Assistant Arkansas cities to discuss his “Keys to Safety” Attorney General Jeff Feltman. program, a guide to familiarize parents with online safety, child abduction and runaway issues. IOWA Attorney General Tom Miller filed a lawsuit CALIFORNIA seeking to prevent DotNow.com, a Colorado Internet Attorney General Bill Lockyer, working service provider that operates from a Des Moines with the Department of Motor Vehicles (DMV), broke address, from doing business until it provides business a counterfeit driver’s license operation believed records sought by consumer protection investigators. responsible for producing fake IDs that were distributed The suit alleges that DotNow.com and its president, in California, 40 other states and the District of Edgar Andres of Des Moines, failed to respond fully to Columbia via the Internet. Jason Miller of Tempe, a formal investigative demand from General Miller’s Arizona was charged with producing hundreds of office seeking customer lists and records of customer counterfeited driver’s license laminates bearing the complaints. California DMV and State seals and, in some cases, the magnetic strips and selling those laminates to individuals MASSACHUSETTS who used them to manufacture fake IDs. Miller’s Attorney General Tom Reilly has settled a company, Mexus, Inc. also manufactured counterfeit case against the owner of an Internet web site that Texas, Arizona, Oregon, Michigan and New Jersey illegally sold Massachusetts lottery tickets at an laminates. The Sacramento Valley High Technology increased cost. Although the lottery fixes the price of Crimes Task Force, composed of members of General lottery tickets at $1 each, masslotteryonline.com illegally Lockyer’s office and the Sacramento Sheriffs office, sold tickets at $2, including a $1 per wager “service assisted in serving search warrants. The investigation charge.” Under the agreement, owner Hank continues, and more arrests are expected. Bagrowski of Wilmington will refund the overcharges to customers and shut down his Internet operation at ILLINOIS masslotteryonline.com. The case was handled by Attorney General Lisa Madigan filed a Assistant Attorneys General Ernest Sarason and court order requiring Christian Haake of Washington Rosemary Connolly and Investigators Monique County to refund thousands of dollars to online auction Cascarano and Nozomi Murakami. buyers who bought expensive Rolex watches that turned out to be fakes. Haake, who does business MICHIGAN online as “Hakeypoo,” was charged with violating Attorney General Mike Cox issued a Notice provisions of the Consumer Fraud and Deceptive of Intended Action to remove.org, a web site that Practices Act for selling items as authentic when, in promises to protect consumers from spam and fact, buyers received reproductions. Haake was pornographic e-mails for $10 monthly. The site also ordered to refund $7,000 to two online customers who promises to add consumers’ names to its “National Opt- filed complaints with General Madigan’s office. He has Out Directory” and actively pursue marketers who already reimbursed a third customer. The refunds will send unwanted mail to its members. The operator of the be coordinated through General Madigan’s office in site, Jonathan Angell, responded to the Notice within monthly installments. The order also mandates that hours. Haake stop hiding negative feedback from online bidders, use easy-to-read type when posting disclaimers MISSOURI

9 National Association of Attorneys General August/September 2003

John Bradford Jensen of Springfield, who was rebates for a six-year period, abide by fair practices, sued by Attorney General Jay Nixon for advertising and submit to monitoring by General Spitzer and the sports cards on the Internet but never delivering the FTC. The case was handled by Ken Dreifach, Chief of cards, was ordered to pay restitution to consumers and General Spitzer’s Internet Bureau. to the State of Missouri. Under the terms of the order, Jensen was prohibited from selling goods or services OKLAHOMA over the Internet and was ordered to pay $754 to After an investigation by Attorney General consumers who paid for the cards and $3,000 to the Drew Edmondson’s Consumer Protection Unit, Aline State. Jensen faces penalties of up to $5,000 per Wollmann of Tulsa, owner of Digital Systems violation if he fails to comply with the order. Technology, was charged with seven counts of unfair or dec eptive trade practices. Wollmann advertised NEW JERSEY computer hardware, software, data conversion and Attorney General Peter Harvey’s Division other services on the Internet, and allegedly failed to of Criminal Justice charged an online auction seller with provide the products and/or services for which she was the theft of more than $18,000 from individuals in the paid. She is accused of bilking more than $13,600 from United States and foreign countries who bid on consumers in other states. merchandise through Internet auction sites. Hope Van Sickle, a/k/a Hope LaFountain, of Ocean County was PENNSYLVANIA charged with one count of theft by deception, a third Agents from Attorney General Mike degree crime punishable by up to five years in state Fisher’s Bureau of Criminal Investigation (BCI) and prison and a fine of up to $15,000. Van Sickle had used officers of the Child Sexual Assault Task Force her home computer to advertise merchandise such as (composed of members from the Attorney General’s computers and digital cameras which she did not Office, the Dauphin County District Attorney’s Office possess, collected advance payments and failed to and the Susquehanna Township Police Department) deliver the items purchased. On other occasions have arrested Michael McCreary of Harrisburg for purchasers returned the low quality merchandise she allegedly attempting to arrange a sexual encounter with delivered, but received no refund. a 12-year-old girl. McCreary is charged with one count of criminal attempt/unlawful contact with a minor. If NEW YORK convicted, he faces a maximum penalty of 20 years in Attorney Ge neral Eliot Spitzer announced prison and a $25,000 fine. The case will be prosecuted the filing of a consent decree requiring UrbanQ, an by Deputy Attorney General Eric Augustine. online retailer of apparel and household products, to pay over $600,000 in rebates to consumers. The company, SOUTH CAROLINA based in Cedarhurst, sold products (often retired or odd Attorney General Henry McMaster lot items) at inflated prices while offering unusually announced that John Smith, a former nuclear shift generous rebates, called “Qbates,” which often supervisor at Duke Power Company’s Catawba amounted to 100 percent of the purchase price. The Nuclear Station, has been indicted by the state grand rebates, offered directly by UrbanQ instead of the jury on one count of second degree computer crime and manufacturers, were supposed to be paid within 12 14 counts of second degree sexual exploitation of a weeks after consumers submitted the required “Qbate” minor. The indictment alleges that while at work Smith forms. However, General Spitzer’s office received 240 downloaded a series of computer video files depicting complaints that UrbanQ had not honored the rebates. minors engaged in explicit sexual activity. The child All would be entitled to relief upon approval of the pornography was discovered on Smith’s company decree. General Spitzer’s pleadings, submitted jointly computer by Duke Power management who routinely with the Federal Trade Commission (FTC), alleges that monitor company computers for prohibited or illegal UrbanQ’s practices were deceptive and misleading. activities under a company workforce policy. The settlement requires the defendants, including the Management then turned the information over to the company’s officers and principals, to post a $500,000 South Carolina Computer Crime Center, a partnership bond prior to offering rebates, keep records involving

10 National Association of Attorneys General August/September 2003 of the State Law Enforcement Division, the Secret Justice Division. General Abbott also announced grand Service and the FBI. jury indictments against three men arrested in Hays County on charges of attempted sexual performance of Second degree sexual exploitation of a minor is a child after they arranged to meet General Abbott’s a felony carrying a two to five year prison term. The Cyber Crimes investigators, posing as 13-year-old minimum term may not be suspended, and persons children online. The crime is a third degree felony, convicted are not eligible for parole until they have punishable by up to ten years in jail. served the minimum sentence. Computer crime in the second degree is a misdemeanor with a pris on term of UTAH up to one year, a fine up to $10,000 or both. If The Utah Internet Crimes Against Children convicted, Smith will be required to register in North Task Force, which Attorney General Mark Shurtleff Carolina, his state of residence, as a sex offender. This administers, charged Daniel Smith of West Jordan with indictment is the first instance in which the State Grand repeated sexual abuse of a child, then using the child Jury has used its authority to investigate and prosecute victim to troll on the Internet with him for other crimes involving violations of the Computer Crime Act. children. Smith was arrested after an investigation in which a Task Force agent, posing as a 13-year-old girl, SOUTH DAKOTA began an online chat with the victim. Smith is charged The seizure of a customer database by with six first degree felonies and, if convicted, could Attorney General Larry Long’s investigators led to face a sentence of up to life in prison. the arrest of four South Dakota men on charges of child pornography. The child pornography sting, called VIRGINIA Operation Site-Key, originated with a search warrant of Attorney General Jerry Kilgore unveiled a Site-Key, a California credit card verification service handbook on identity theft to celebrate the effective with a database of customers who had used the service date of the Identity Theft Protection Act. General to purchase or attempt to purchase child pornography Kilgore also presented the first Identity Theft Passports over the Internet. Arrested were Scott Wells of Belle to three Virginia victims of the crime. The Act Fourche, Calvin Luke of Salem, Richard Buechler of provides for an Identity Theft Passport Program within Sioux Falls and Craig Worm of Dell Rapids. The cases the Virginia Attorney General’s Office, and victims are being prosecuted by the Attorney General’s Office who learn that their identities have been stolen, by and the local States Attorney’s offices. submitting expungement orders or police reports, can apply for an Identity Theft Passport there. The TEXAS Passport serves as a shield to protect victims from Attorney General Greg Abbott unveiled his arrest for crimes committed by someone else under new Cyber Crimes Unit which will focus on arresting their identity. suspected child predators. The Unit is funded by a grant from Texas Governor Rick Perry’s Criminal

11 National Association of Attorneys General August/September 2003

In The Courts

Listserv Moderator/Website Operator shall be treated as the publisher or speaker of any Who Posts a Defamatory E-Mail Provided by a information provided by another information content Third Party For Publication May Not Be Liable provider,” thereby limiting liability for Internet postings, the district court declined to extend the grant of Batzel v. Smith, No. 01-56556 (9th Cir., June immunity to Cremers and his Network, holding that 24, 2003) the Network was not an internet service provider. Handyman Robert Smith, who had Cremers appealed. The Ninth Circuit disagreed with been hired to work on attorney Ellen Batzel’s home, the district court’s reading of Section 230, finding that claimed Batzel told him that she was related to high- Cremers’ Network and listserv were potentially ranking Nazi officials and, at a later time, mentioned immune under Section 230. However, because Smith that some of the paintings in her house, which looked maintained that he would not have sent the message if old and European, were inherited. Smith searched the he knew it was going to be posted, the question for Internet for information on stolen art work and found the court was whether he “provided” the e-mail in the the Museum Security Network website. He sent an sense intended by Section 230©. The court therefore e-mail to the Network in which he related these vacated the district court’s order denying Cremers’ “clues” and said that he believed the paintings were motion and remanded the case for further proceedings looted during W.W. II from Jewish people. Ton to develop the facts and evaluate what Cremers Cremers, sole operator of the Network, which is read reasonably could have concluded. by hundreds of museum security officials, insurance investigators and law enforcement personnel, Vermont Statute Banning Internet published Smith’s message. Batzel discovered the Distribution of Sexually Explicit Materials That message several months later and complained to Are Harmful to Minors Violates First Cremers, who subsequently contacted Smith to Amendment and Dormant Commerce Clause request additional information. Smith insisted his statements were true but told Cremers that he would American Booksellers Foundation v. Dean, never have sent the e-mail if he knew it would be No. 02-7785 (4th Cir., August 27, 2003) published. Plaintiff Sexual Health Network, Inc. (SHN), Batzel, claiming she had lost several a Delaware corporation whose principal place of clients and was being investigated by the bar, sued business is in Connecticut, maintains a website that Smith and Cremers. Cremers countered with a motion contains information on sex-related topics. In 2000, to strike, alleging Batzel’s suit was meritless and 13 V.S.A. Section 2802’s prohibition against attempted to interfere with his First Amendment distributing sexually explicit materials that are “harmful Rights, and a motion to dismiss for lack of personal to minors” was amended to extend to Internet jurisdiction. The U.S. District Court for the Central communications. Plaintiffs sought declaratory and District of California denied both motions. Although injunctive relief from enforcement of the amended Section 230©(1) of the Communications Decency Act statute on the basis that it violated the First of 1996 (Pub.L. No. 104-104) specifies that “no Amendment and the dormant Commerce Clause. In provider or user of an interactive computer service response, Vermont passed another amendment to the

12 National Association of Attorneys General August/September 2003 statute, which prohibited the distribution when it Over a 21-month period, Hamidi, on behalf of FACE- occurs “outside the presence of the minor,” but the Intel, sent six e-mails to employee addresses at Intel disseminator had “actual knowledge” that the recipient criticizing Intel’s employment practices, warning was a minor. Plaintiffs amended their complaint to employees of the dangers to their careers and include both the old and new amendments. The U.S. suggesting that employees consider moving to other District Court for the District of Vermont found that companies. Employees were offered the ability to opt the statute violated both the First Amendment and the out of further messages. Intel demanded in writing that dormant Commerce Clause and enjoined Vermont Hamidi and FACE-Intel stop sending e-mails, but from enforcing the statute. Vermont appealed. Hamidi asserted they had a right to communicate with willing employees. Intel sued Hamidi and FACE-Intel The 2nd Circuit, while acknowledging that the for trespass to chattels, seeking an injunction against Constitution permits a state to impose restrictions on further e-mail messages. The Sacramento County a minor’s access to material considered harmful to Superior Court entered default against FACE-Intel for minors, even if the material is not obscene to adults, failing to answer and granted Intel’s motion for stated that such restrictions may not limit non-obscene summary judgment, permanently enjoining Hamidi and expression among adults. The court also noted that FACE-Intel from sending unsolicited e-mail to Vermont’s interest in protecting minors from addresses on Intel’s computer systems. Only Hamidi pornographic material on the Internet could be appealed. The Court of Appeals for the Third achieved by other means, such as Internet filtering, that Appellate District affirmed, finding that the use of or would not burden protected adult expression. The meddling with another’s personal property is statute, therefore was held to violate the First actionable as a trespass to chattels without proof of Amendment. Further, the court found that while the any actual injury to the property. Hamidi filed a statute did not discriminate against interstate petition for review. commerce on its face, Vermont had “projected” its legislation into other states, directly regulating The California Supreme Court noted that there commerce, and in violation of the dormant Commerce was no evidence to suggest any actual or threatened Clause. However, the court confined its findings only damage to Intel’s computer system or any interference to the internet speech presented by plaintiffs, thereby with its operation. Intel’s complaint, said the court, ordering that the injunction issued by the district court was thus about the contents of the messages rather be modified accordingly. Note: This case was than the functioning of the company’s e-mail system, argued by Assistant Attorney General Joseph Winn and this “impairment by content” was a far cry from for the State of Vermont. the injuries to possession that trespass law was designed to protect. The court added that while Ex-Employee Did Not Trespass on unwelcome communications can cause injury to Company Computers By Sending E-Mail Critical economic relations and reputation, those interests are of Employer to Current Employees protected by other branches of tort law. The court thus found that Intel had not presented facts Intel v. Hamidi, No. S103781 (Cal., June demonstrating an injury to personal property, or its 30, 2003) interest in that property, to support an action for trespass to chattels. The decision was reversed. Hamidi, a former Intel engineer, and others formed Former and Current Employees of Intel (FACE-Intel) to disseminate information and views critical of Intel’s employment and personnel policies.

13 National Association of Attorneys General August/September 2003

Legislation

ARKANSAS, MICHIGAN, TEXAS of sex offenders. The online registry would be CRACK DOWN ON SPAM searchable by name, zip code and address. The lawsuit claims that the law restricts personal freedom Arkansas’ anti-spam law is now effective, without a due process hearing, is illegally applied to and requires any spam with sexually-themed content to past offenders, adds punishment without a jury trial, include the warning “ADV:ADULT” in the subject line. treats different groups of offenders similarly and creates Additionally, all spam must include a space which the a special class of people without a compelling state consumer can click on to return the e-mail to the sender interest. with a demand to be taken off the mailing list. Michigan Governor Jennifer Granholm has signed HOUSE PASSES PERMANENT BAN House Bill 4519 which creates measures to cut down ON INTERNET TAXES on spam. The new law requires senders of unsolicited commercial e-mail to include “ADV” as the first The U.S. House of Representatives has passed characters of the subject line, as well as a valid method by voice vote H.R. 49 which would permanently ban all for consumers to opt out of receiving future e-mails. state taxes on Internet access. The measure would ban The sender also is required to establish and maintain the taxation of Internet connections and eliminate the policies and records to ensure that a recipient who “grandfather” clause that currently allows 10 states opted out of receiving e-mail solicitations does not (Hawaii, New Hampshire, New Mexico, North receive further messages. Violation of the law will Dakota, Ohio, South Dakota, Tennessee, Texas, result in a misdemeanor punishable by up to one year in Washington and Wisconsin) to maintain taxes they had prison and/or a fine of up to $10,000. A civil action imposed prior to the 1998 passage of a moratorium on could be brought by either the Attorney General’s Internet access taxes (PL 105-277). The office or by the recipient of the spam. Congressional Budget Office estimates that abolishing the exemption would cost those states between $80 Texas’ anti-spam law became effective on million to $120 million a year in total, with Texas alone September 1, 2003, making it illegal to send unsolicited estimated to lose more than $50 million a year. e-mail that uses misleading subject lines or offers unlabeled obscene material. Unsolicited advertising The Senate Commerce, Science and must have “ADV” in its subject line, and messages with Transportation Committee approved a similar bill sexual material must say”ADV: Adult Advertisement.” (S.150) in July, but that bill would keep the Violators can be fine $10 for each mislabeled, “grandfather” clause in effect for three more years, unsolicited e-mail message, up to $25,000 per day. giving the states more time to replace the lost revenue. Both bills would ensure that all forms of technology MISSOURI ENACTS SEX OFFENDER used to connect to the Internet would be exempt from POSTING LAW DESPITE LAWSUIT taxation. The Administration supports the legislation and has urged speedy passage. Missouri Governor Bob Holden has signed into law a bill allowing the state Highway Patrol’s list of sex offenders to be posted on the Internet, despite a lawsuit challenging its constitutionality filed by a group

14 National Association of Attorneys General August/September 2003

SENATE COMMITTEE CRACKS The tougher Senate bill (S. 627) would DOWN ON INTERNET CIGARETTE SALES prohibit Internet gambling businesses from knowingly accepting wagers placed with credit cards or other The Senate Judiciary Committee has approved financial instruments. It would also make it illegal for by voice vote S. 1177, which would force Internet credit card companies to knowingly process such distributors to pay or collect state tobacco taxes on transactions from Internet-based gambling firms. their sales. The measure would amend the Jenkins Act Violators would be subject to fines and prison terms (PL 81-363) which requires cigarette shippers to file of up to five years. Unlike the House bill, no reports with state tobacco tax administrators. It would exemptions would be permitted for state-licensed make it a felony, instead of a misdemeanor, to violate online gaming operations. the Jenkins Act, and would give state Attorneys General power to bring civil and criminal charges in federal court for violations. The Bureau of Alcohol, Tobacco, Firearms and Explosives would also be given new enforcement powers. The bill as passed includes smokeless tobacco and specifies that a “delivery sale” takes place in the state in which consumers take delivery. Similar legislation (H.R. 2824) has been introduced in the House.

FULL HOUSE, SENATE COMMITTEE PASS INTERNET GAMBLING BILLS

The full U.S. House of Representatives and the U.S. Senate Banking, Housing and Urban Affairs Committee have passed very different Internet gambling legislation. The House bill (H.R. 2143) would not prohibit online gambling, but would prohibit the use of credit cards and other financial instruments used for Internet betting. The measure lacks any criminal punishments, but was intended to give financial regulators more oversight. The bill would provide an exemption for state regulated or licensed transactions.

15 National Association of Attorneys General August/September 2003

NEWS YOU CAN USE

COMPUTER EMERGENCY The National Center for Supercomputing RESPONSE CENTER CREATED Applications (NCSA) at the University of Illinois’ Urbana-Champaign campus has received an initial $5.7 The Department of Homeland Security (DHS) million grant from the Office of Naval Research to has joined with Carnegie Mellon University to create establish a research center to develop technology against the U.S. Computer Emergency Response Team (US- enemy hackers. Other research projects will include CERT) to coordinate national and international efforts developing remotely programmed radios, refining ways to prevent and respond to cyber attacks across the for monitoring battlefield environments and determining Internet. Additionally, DHS appointed Amit Yoran, the best way to share information among military forces a vice president with Symantec Corporation, to be without fear of interception. NCSA is a high- the Department’s new cyber-security chief. Yoran performance computing center that develops and deploys co-founded Riptech, Inc., which monitored computing, networking and information technology for government and corporate computers to protect them government and industry. against attacks. He sold the company last year to Symantec. Before founding Riptech, Yoran was “OPERATION PREDATOR” LAUNCHED director of the vulnerability assessment program for TO PROTECT CHILDREN the Defense Department’s computer emergency response team. The Department of Homeland Security has launched “Operation Predator,” an initiative that will use the U. PENN STUDY: WEB PRIVACY Internet more effectively to track sex offenders who prey POLICIES MISUNDERSTOOD on children and will build a central database of child pornography images, the National Child Victim A study of 1,200 adult Internet users by the Identification System, to help rescue the children involved Annenberg Policy Center at the University of and arrest their exploiters. The operation, which will be Pennsylvania found that 57 percent believed run by the Department’s Bureau of Immigration and incorrectly that when a web site publishes a privacy Customs Enforcement, will for the first time allow agents policy, it will not share their personal information with to prioritize and identify illegal aliens who are serving time other web sites or companies. Nearly two thirds of for sexual offenses to ensure they are deported upon the adults admitted never searching for information completion of their sentence. about how to protect their privacy on the Internet, and 40 percent confessed they knew “almost nothing” RAND STUDY PREDICTS U.S. TECH about shopping sites collect and use their personal DOMINATION information. The Rand Corporation’s National Defense Research U. ILLINOIS RECEIVES NAVY Institute released a study which predicts that the United GRANT TO IMPROVE MILITARY States will continue to dominate global technology for the SECURITY foreseeable future, but China could eventually threaten its lead. The study also said that Europe would continue to trail the United States technology industry because of

16 National Association of Attorneys General August/September 2003 concerns over job loss and social instability. Rand, an independent nonprofit think tank that specializes in national security and economics research, also said that Japan’s prolonged economic downturn could clear the way for China to fill Asia’s information technology “power vacuum.”

INTERNET GAMBLING CRACKDOWN CAUSES WTO COMPLAINT

The World Trade Organization (WTO) will appoint a three-member panel to determine if U.S. efforts to crack down on offshore Internet gambling operations violate international trade accords. The announcement comes in response to a challenged filed by Antigua and Barbuda, a Caribbean nation that is a major nexus for the Internet gambling industry. U.S. trade authorities maintain that online gambling services are not within the scope of U.S. trade commitments. Under WTO rules, both sides in the trade dispute have 30 days to agree upon the appointees to the panel. The decision of the panel be appealed, but any ruling by the appellate board is binding.

PEW STUDY: SONG SWAPPERS UNCONCERNED ABOUT COPYRIGHTS

The Pew Internet and American Life Project has released a study finding that 67 percent of U.S. Internet file swappers are indifferent to copyright concerns. The survey of 2,515 U.S. adults took place from March through May, 2003 – a few months before the recording industry began gathering evidence to sue individual file swappers. The study also looked at demographics, finding that income level often correlated with file swapping. According to the report, people from lower income households are more likely to download files online. Students are also very likely to download, with about 56 percent reporting they’ve downloaded songs. Those who had obtained a college degree were reported as most concerned about copyright laws.

17 National Association of Attorneys General August/September 2003

PLUG PULLED ON UCITA It describes the testing environment and documents test results. It can be accessed at The National Conference of Commissioners on http://www.ncjrs.org/pdffiles1/nij/200031.pdf. Uniform State Laws (NCCUSL) has pulled the plug on all efforts to help states introduce and enact the Uniform Computer Information Transaction Act (UCITA). The Act, drafted four years ago, was meant to protect software developers from intellectual property theft by resolving conflicting software licensing laws that vary by state. However, critics have charged that UCITA favors corporate interests over those of consumers, in addition to granting software makers too much freedom in restricting the use of their products and in dictating settlement terms for conflicts. Only Maryland and Virginia have enacted UCITA.

SUPREME COURT ORAL ARGUMENTS AVAILABLE IN MP3 FORMAT

The OYEZ Project, undertaken by Northwestern University, is making Supreme Court oral arguments available in MP3 format which allows offline listening, use of portable devices and sharing through peer-to-peer networks. OYEZ buys tapes from the National Archives and Records Administration and copies them into “.wav” files for streaming. A student team then edits the files and converts them into MP3 files. The next batch of files, 600 hours of arguments from the 2001 term, will be released by October 1, 2003. The MP3 files are available from OYEZ under a Creative Commons copyright license, which encourages redistribution but gives OYEZ some ownership. The OYEZ site is at http://www.oyez.org/oyez/frontpage.

COMPUTER FORENSIC SOFTWARE TOOL EVALUATED

“Test Results for Disk Imaging Tools: Encase 3.20” has been published and presents test result of this computer forensic software tool that allows investigators to examine hard drives and disks for deleted, hidden and/or renamed computer files.

18 National Association of Attorneys General August/September 2003

1 See, e.g., Laurie Kellman, Report: Identity Theft is Fastest Growing U.S. Crime, Associate Press, Aug. 4, 2002. (available at www.nctimes.net/news/2002/20020804/70059.html) (visited July 9, 2003); see also, Identity Theft: Is There Another You?: Joint hearing before the House Subcomms. On Telecommunications, Trade and Consumer Protection, and on Finance and Hazardous Materials, of the Comm. on Commerce, 106th Cong. 16 (1999) (testimony of Rep. John B. Shadegg). 2 See, Sean B. Hoar, Identity Theft: The Crime of the New Millennium, U.S. DOJ, Executive Office for United States Attorneys, USA Bulletin, Mar. 2001, Vol. 49, No. 2 (available at www.usdoj.gov/criminal/cybercrime/usamarch2001_3.htm) (visited Aug 1, 2003); Erin M. Shoudt, Identity Theft: Victims “Cry Out” for Reform, Comment, 52 Am. U. L. Rev. 339, 392 (Oct. 2002) (“Identity theft is becoming an epidemic.”) 3 See, FBI Special Agent Bob Pocica, (FBI Special Agent working with the Internet Fraud Complaint Center (IFCC)) Live Online, Inside the FBI, WASHINGTONPOST.COM, originally on-line May 31, 2001 (available at www.discuss.washingtonpost.com/wp- srv/zforum/01/fbi0531.htm) (visited Aug. 4, 2003) (“Most identity theft and financial fraud cases are underreported by individuals and businesses, as such it is hard to truly identify the scope of the problem.) 4 Federal Trade Commission, National and State Trends in Fraud and Identity Theft, Jan-Dec 2002, Jan 22, 2003, at 2. 5 Id. 6 Id. (this includes both identity theft and fraud complaints made to the Consumer Sentinel) 7 Id. The source allocation and a breakdown of these statistics is relevant to the overall analysis of “the problem” of identity theft. The “data contributors” for the Consumer Sentinel during 2002 were: Social Security Administration 6%, Better Business Bureaus 2%, FTC 1-877-ID THEFT (phone reporting) 30%, FTC Fraud web complaints 12%, FTC 1-877-FTC HELP (phone reporting) 11%, FTC IDT web complaints 7%, Internet Fraud Complaint Center 16%, National Consumers League 8%, Canada’s “Phone Busters” 7%, and Misc. other organizations (IDT & Fraud) 1%. Id. The Consumer Sentinel’s top “Complaint Categories” during this same period of time were: Health Care 2%, Magazines and Buyer’s Clubs 2%, “Others” 11%, Identity Theft 43%, Internet Auctions 13%, Internet Services and Computer Complaints 6%, Advance-Fee Loans and Credit Protection 5%, Shop-at-home Catalog Sales 5%, Foreign Money Orders 4%, Prizes / Sweepstakes and Lotteries 4%, Business Opps and Work-at-Home Plans 3%, Telephone Svcs 2%, Health Care 2%. 8 To date, the business and financial community has generally played a somewhat passive role of handling crimes perpetrated against their consumer base, considering them in the overall scheme as a “cost of doing business.” For instance, credit issuers report billions of dollars in fraud “losses” each year but the actual harm to the business is minimal. George May, in a recent article, Stop Thief, Are Credit Bureaus and Creditors ‘Silent’ Co-Conspirators to Identity Theft?, (Journal of Texas Consumer Law) reported, “they make the business decision that it is easier and more efficient to burden honest consumers with these losses than it is to prevent, or pursue, identity thieves. And any losses that cannot be passed along can be written off and reduce the entity’s tax bill.” (Id. internal citation omitted) Another “player” in the world of identity theft is the credit bureaus. As these companies do not actually extend any credit they do not experience any monetary loss. In some ways identity theft has been advantageous to credit bureaus. The “super-bureaus” (Equifax, Experian, and Trans Union) have gone as far as capitalize on consumer fear and market such programs as Equifax’s “Credit Watch” that generates revenue and allows the collection of additional consumer information that is then marketed to outside sources for additional profit. See generally, Stacy Forster, If Credit-Report Firms Can Flag Errors, Why Not Do It For All?, T HE WALL STREET JOURNAL ONLINE, (available at http://www.ucan.org/News/WSJcredit7- 26htm.) (visited June 17, 2003) (reporting generally about the profit-motivated credit-monitoring programs currently offered to consumers by the credit-reporting companies.) 9 The enactment of this Section on October 30, 1998 was particular relevant and necessary as the law previously addressed only the fraudulent creation, use, or transfer of identification documents, and not the theft or criminal use of the underlying personal information. 10 The majority of the information from this section can be found in a report prepared by Asst. U.S. Atty. Sean B Hoar, District of Oregon, Identity Theft: The Crime of the New Millennium, U.S. DOJ, Executive Office for United States Attorneys, USA Bulletin, Mar. 2001, Vol. 49, No. 2 (available at www.usdoj.gov/criminal/cybercrime/usamarch2001_3.htm) (visited Aug 1, 2003). 11 Basically, the Identity Theft Act re-defined this to include the types of computer and other high-tech equipment being employed by identity thieves. 12 Colorado and Vermont have not enacted specific identity theft statutes. States that punish identity theft as a felony: Alaska, Arizona, Arkansas, Connecticut, Delaware, Georgia, Hawaii, Indiana, Kansas, Kentucky, Michigan, Nevada, New Hampshire, North Carolina, North Dakota, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Texas, West Virginia and Wisconsin. 13 Thus the offense can be generally classified as either a felony or a misdemeanor depending upon the value of the “thing” misappropriated through the identity theft. 14 The following states “grade” identity theft. The value of misappropriation is the most common manner to “grade” the offense: Alabama, California, Florida, Idaho, Illinois, Iowa, Louisiana, Maryland, Massachusetts, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New York, Ohio, Pennsylvania, Utah, Virginia, Wyoming and Maine (treats identity theft as a Class

19 National Association of Attorneys General August/September 2003

“D” offense). Mississippi, South Dakota and New Mexico treat identity theft as a misdemeanor. 15 The pecuniary requirement in California is codified at Cal. Penal Code 530: Every person who falsely personates another, in either his private or official capacity, and in such assumed character receives any money or property, knowing it is intended to be delivered to the individual so impersonated, with intent to convert the same to his own use, or to that of another person, or to deprive the true owner thereof, is punishable in the same manner and to the same extent as for larceny of the money or property so received. 16 Delaware, Illinois and Pennsylvania have enacted “aggravated” identity theft statutes. 17 Obviously, the general act of attempting to purchase alcohol by an underage individual through fraudulent means would be punishable under other statutes, but it would not constitute identity theft. States having “age exceptions” include: Alabama, Arkansas, Indiana, Kentucky, Louisiana, New Jersey, New York, Oregon, Rhode Island, Washington and West Virginia. 18 20 states have specific restitution language in their statute. The following states include “may” (non-mandatory) language: Florida, Georgia, Louisiana, Minnesota, Missouri, Montana, Nebraska, North Carolina, Texas, Washington, Wyoming and South Carolina. The following states include “shall” (mandatory) language: Massachusetts, Nevada, Virginia, Alabama, Delaware, New Hampshire, New Mexico and Tennessee. 19 For example, Missouri, Montana, Nevada, North Carolina, Washington, Wyoming, Alabama, Delaware, New Mexico, Tennessee, Illinois and Connecticut provide for this in either its civil or criminal identity theft statute(s), or both. 20 Ala. St. Ann. 13A-8-197 (“…the court records for the crime shall reflect that the victim of this act did not commit the crime”); Wyo. Stat. Ann. 6-3-901(“…the court records shall reflect that the person whose identity was falsely used to commit the crime did not commit the crime.”) 21 N.M. Stat. Ann. 30-16-24.1(“The sentencing court shall issue written findings of fact and may issue orders as are necessary to correct a public record that contains false information as a result of the identity theft.”); Utah St. Ann. 76-6-1104(“…the court shall make appropriate findings in any prosecution of such a crime that the person whose identity was falsely used to commit the crime did not commit the crime.”) 22 Civil Identity Theft Statutes: Idaho St. Ann. 28-51-102; Iowa St. Ann. 714.16.B; Tennessee Code Ann. 47-18-2101; Conn. Stat. Ann. 52-571h. 23 Tenn. Code Ann. 47-18-2104; Wyo. Stat. Ann. 6-3-901; Fla. Stat. Ann. 817.568. 24 Tenn. Code Ann. 47-18-2104; 18 Pa. Cons. Stat. 4120; Ky Rev. Stat. Ann. 514.160; Va. Code Ann. 18.2-186.3; Ga. Code Ann. 16-9-125; Wash/ Rev. Code 9.35.020; Ala. Code Ann. 13A-8-199; Fla. Stat. Ann. 817.568; N.H. Rev. Stat. Ann. 638:27; and N.M. Stat. Ann. 30-16-24.1.

Written and Edited by Hedda Litwin, Cybercrime & Violence Against Women Project Counsel, (202) 326-6022, [email protected]

It is formatted by Valarie Gibson, Project Assistant, (202) 326-6262, [email protected]

The Cybercrime Newsletter is developed under the Cybercrime Training Partnership between the National Association of Attorneys General (NAAG) and the National Center for Justice and the Rule of Law (NCJRL) at the University of Mississippi School of Law.

In the interest of making this newsletter as useful a tool as possible for you, we ask that you keep us informed of your efforts Additionally , we would like to feature articles written by you. Please contact us with information, proposed articles and comments about this newsletter. Thank You.

The views and opinions of authors expressed in this newsletter do not necessarily state or reflect those of the National Association of Attorneys General (NAAG). This newsletter does not provide any legal advice and is not a substitute for the procurement of such services from a legal professional. NAAG does not endorse or recommend any commercial products, processes, or services. Any use and/or copies of the publication in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in the publications.