National Association of Attorneys General August/September 2003 CYBERCRIME NEWSLETTER Issue 4 August/September 2003 News Highlights in this Issue Table of Contents Information Security Expert is Keynote at NAAG/NCJRL Cybercrime Training Dr. Gene Spafford, Director of CERIAS, speaks on risks to U.S. critical Features ..................................2 infrastructure .........................................................2 Security Guru is Cybercrime Training Keynote Identity Theft: Legislative Overview Arkansas, Michigan, Texas Crack Down on Spam Voir Dire in Internet Crimes Against Children Arkansas law requires warning in subject line. Michigan House Bill 4519 allows civil suit by Attorney General. Under Texas law, violators can be fined up to AG Initiatives ..............................9 $25,000/day .........................................................14 Arkansas AG Launches Online Safety Program AG Lockyer Breaks Fake Drivers License Ring Online Auction Fraud Stopped by AG Madigan House Passes Permanent Ban on Internet Taxes Iowa AG Sues ISP for Business Records Bill also eliminates “grandfather” clause allowing 10 states to maintain taxes; loss AG Reilly Settles Illegal Lottery Ticket Case estimated at $80-120 billion/year .........................................14 Michigan AG Halts Sham “Anti-Spam” Site Online Seller Sued by AG Nixon Must Pay Computer Emergency Response Center Created AG Harvey Charges Online Seller with Theft Team would coordinate efforts to prevent and respond to cyber attacks. New AG Spitzer Settles Case Against Online Retailer cyber-security chief named .............................................16 Oklahoma AG Charges Online Software Seller AG Fisher Arrests Online Child Predator Online Predator Indicted, Says AG McMaster Missouri to Allow Sex Offender Posting on Internet AG Long Charges Four With Child Pornography Bill signed into law despite constitutional challenge by sex offenders .............14 Utah AG’s Task Force Arrests Predator AG Kilgore Marks New Identity Theft Act House, Senate Committee Pass Internet Gambling Bills House bill exempts state regulated transactions; In the Courts .............................10 tougher Senate bill does not .............................................15 Poster of Third Party E-Mail May Not be Liable Ban on Internet “Explicit” Material Unconstitutional Operation Predator Launched to Track Child Exploiters No Trespass by Ex-Employee Sending E-Mail Initiative will build database of child pornography images to help rescue children Legislation ...............................14 and arrest their exploiters ...............................................16 Arkansas, Michigan, Texas Crack Down on Spam Missouri Enacts Sex Offender Posting Law Study Finds Internet Users Misunderstand Web Privacy Policies House Passes Permanent Ban on Internet Taxes Almost 2/3 of users never search for information on protecting privacy ..........16 Senate Committee Attacks Online Cigarette Sales House Passes Internet Gambling Bill Vermont Ban on Sexually Explicit Materials Distribution Struck Down Violations of First Amendment and Dormant Commerce Clause Found ...........12 News ....................................16 Computer Emergency Response Center Created Study Predicts U.S. Technology Domination Study: Web Privacy Policies Misunderstood Navy Grant on Military Security Awarded China May Fill Asia’s Technology “Power Vacuum” ........................ 16 “Operation Predator” to Protect Children Launched Study Predicts U.S. Tech Domination Plug Pulled on UCITA Internet Gambling Crackdown Causes Complaint Uniform State Laws Body Will Cease Efforts to Encourage States to Enact Study: Song Swappers Blasé About Copyright Standard Software Licensing Statute ......................................17 Plug Pulled on UCITA Supreme Court Oral Arguments Offered in MP3 Format Forensic Software Tool Evaluated National Association of Attorneys General August/September 2003 Information Security Center Director Is Keynote Speaker at NAAG/NCJRL Cybercrime Training Dr. Eugene Spafford, Specific topics included search warrant preparation and Director of the Center execution; witness interviews and defendant for Education and interrogation; charging decisions and indictment Research in Information considerations; evidentiary issues and admissibility Assurance and Security concerns; pre-trial preparation; presentation of forensic (CERIAS) and testimony; trial techniques and tactics; presenting the Professor of Computer case in chief; and meeting untrue defenses. Science at Purdue Dr. Eugene Spafford addressing Cybercrime University, addressed Attendees were also guests at a welcome Training attendees. 46 prosecutors and dinner, which featured Stewart Baker, noted technology investigators from Attorney General offices throughout attorney and former National Security Agency general the country during the first Advanced Cybercrime counsel, as keynote speaker. Baker also currently serves Training, developed by the National Association of on the President’s Export Council Subcommittee on Attorneys General (NAAG) in partnership with the Export Administration and the Markle Foundation’s Task National Center for Justice and the Rule of Law Force on National Security in the Information Age. He (NCJRL). Dr. Spafford is also a member of the discussed internet service provider-law enforcement President’s Information Technology Advisory Council relations. The training was free for Attorney General and the U.S. Air Force Scientific Advisory Board. The offices, with travel expenses paid under the training was held September 9-11, 2003 at the NAAG/NCJRL Cybercrime Partnership. University of Mississippi School of Law in Oxford, Mississippi. Participants at the training heard Spafford The next Cybercrime Training under the discuss the risks that the United States critical NAAG/NCJRL Partnership will focus on computer- infrastructure faces today with respect to computer specific crimes, including hacking, computer intrusions security. and viruses. It is scheduled for March 2-4, 2004, and attendance will be limited to prosecutors. Attorneys Dr. Spafford’s presentation was followed by General will shortly receive information about the three days of in-depth sessions on the investigation and training, including forms to nominate a prosecutor from prosecution of computer crime, which was their office to attend. For additional information, please accomplished by using an actual computer crime case contact Hedda Litwin, Cybercrime and Violence Against from one of the states. Presentations discussed the Women Counsel, at [email protected] or (202) 326- case in detail from the investigation through the trial. 6022. 2 National Association of Attorneys General August/September 2003 Identity Theft: A Legislative Overview Marc M. Harrold Introduction regulators (i.e. FTC); (4) consumers; and (5) the business and financial community.8 While consumer Identity theft is the fastest growing crime in the education is the likely cornerstone of any successful United States.1 While identity theft is not new, long-term identity theft reduction plan, it is outside the technology has effectively allowed criminals to scope of this article, as is the existing infrastructure of streamline their efforts and rapidly expand their victim state and federal law enforcement, the FTC and other base, leading many to call it the “crime of the new governmental agencies currently working to eliminate millennium” and “an epidemic.”2 identity theft and the business and financial community. This article will concentrate on the legislative The Problem approaches to combating identity theft and give an overview of the efforts and approaches, to date, to While identity theft is considered to be one of deal with this ever-increasing and invasive problem. the most under-discovered, and under-reported, crimes in the U.S., the numbers that actually do exist Legislative Overview paint a disturbing picture of the growing nature of this invasive crime.3 Between January and December The federal approach is best exemplified by 2002, the Consumer Sentinel, the Federal Trade the Identity Theft and Assumption Deterrence Act of Commission’s (FTC’s) database to register consumer 1998 amended, 18 U.S.C. § 1028(a)(7).9 The most complaints, received 380,103 consumer fraud and relevant language of the Act provides criminal liability identity theft complaints.4 The aggregate consumer for any person who: loss of these complaints was over $343 million.5 A comparison of the complaints lodged in 2000, 2001 “knowingly transfers or uses, without and 2002 reveal that the overall number of complaints authority, a means of identification of another person registered6 has increased from 139,007 to 380,103, with the intent to commit, or to aid or abet, any and the percentage of identity theft complaints to the unlawful activity that constitutes a violation of Federal overall number of identity theft and fraud complaints law, or that constitutes a felony under any applicable combined has almost doubled from 22 percent to 43 State or local law…” percent.7 This amendment was particularly relevant to Who Must Respond?…and How? the rising trend of identity theft as it criminalizes the theft and misuse of the identification information itself If identity theft is the problem, finding a and not just the theft and misuse of identification solution basically appears to be falling on the shoulders documents. of five major groups: (1) law enforcement (including prosecutors); (2) legislators;