Why Study Cybercrime Law?

I've dealt with online fraud and identity theft as a federal prosecutor for 15 years, and taught cybercrime-related courses as an adjunct professor at Georgetown Law Center and the University of Virginia Law School at various times for more than a decade.  To me, it seems intuitively obvious why law students would be interested in studying cybercrime.  But in the continuing woes of the legal job market, I can also understand why some law students might think, "Sounds fun, but a little marginal. What I need is Corporations/Securities Regulation/Tax/[etc.]"

No one can dispute that business-oriented law courses can be valuable and interesting for future practitioners.  But here are my reasons that law students should make room in their busy schedules for a cybercrime law course or seminar:

1.  As a practitioner, it's now your ethical obligation to understand the risks and benefits of technology.  No joke: The American Bar Association just amended the Model Rules of Professional Conduct to address this issue.  Model Rule 1.1 deals with an attorney's duty to provide competent representation to a client, which "requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation."  The amended language of Rule 1.1 now states, "To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject."  [Emphasis supplied]  To me, that means that your competence and skill as an attorney, whether in the private or the public sector, will depend on your ability to keep up with developments in digital technology that can affect your firm's, agency's, or clients' abilities to safeguard data, as well as your clients' own information technology practices that can affect current operations.  With due respect to law professors who teach conventional business-oriented courses, you're not going to develop a working understanding of current information technology threats and risks in Sec Regs.

2.  It's more important that you get the best grades you can, regardless of what courses you take, and taking a course like Cybercrime won't affect your marketability.  Employers won't care if you loaded up on business-oriented law courses if you pulled B-s or C+s in those courses.  As one poster put it on Lawyerist.com "while law school grades aren't a good measure of lawyering skills, grades are, for better or worse, the most quantifiable measure of law school success."  Of course, a prospective employer might raise an eyebrow if she sees that you've taken lots of esoteric courses like "the Law of the Horse" (a phrase of former Stanford President and emeritus law professor Gerhard Casper that Judge Frank Easterbrook used more than 15 years ago to characterize the then-nascent field of cyberlaw).  But any course in which you were intrigued by the subject matter and did well becomes a great talking point on on-campus or callback interviews.

3.  Actually, maybe Cybercrime makes you more marketable to some.  Think about point 1 above.  Here's a possible interview scenario: "I see you took Cybercrime.  Why did you decide to take that?" "Because I think that lawyers have to understand technology, with all its risks and benefits, in order to represent their clients competently.  That course gave me a much better understanding of the risks and how lawyers need to respond to them, for prevention and mitigation of harm.  Does your firm deal with information security or data-breach issues?"  "As a matter of fact, yes. . . ."

4.  Cybercrime matters as a distinct field of law.  Just look at the past week's headlines to see how many different areas of law and public policy cybercrime touches:

• Child Exploitation and Pornography: The Louisiana-based moderator of Dreamboard, a child exploitation bulletin board, was sentenced in federal court to 38 years imprisonment for his role in an international child-pornography ring.  Seven other defendants were also sentenced for their roles in the network.  The U.S. Attorney's Office in Shreveport explained in a press release that the moderator "handl[ed] technical matters including the encryption of posts so that law enforcement could not catch participants on the board and the mentoring of members," and that to date 42 out of 72 individuals had been convicted for their participation in Dreamboard.
• Critical Infrastructure Protection: After the defeat in the U.S. Senate of proposed cybersecurity legislation, White House Homeland Security Adviser John Brennan reportedly stated, according to CNBC, that the White House "is exploring whether to issue an executive order to protect the nation's critical computer infrastructure."
• Cyberbullying: In addition to reports that British Olympic diver Tom Daley and rock singer Shirley Manson were the targets of cyberstalkers, a new study of German youth reportedly concluded that "young people who suffer from cyberbullying or cyber harassment struggle the most when fellow classmates make fun of them by distributing embarrassing photos and videos."
• Cybersecurity:  Researchers at Kaspersky Lab just issued an analysis showing that a new type of malware, as the Washington Post reported, "appears to be the creation of the same state-sponsored program that produced the viruses known as Stuxnet and Flame,"  which "were aimed at computers tied to Iran’s nuclear program."
• Cyberwarfare: The Washington Post reported that the Pentagon "proposed that military cyber-specialists be given permission to take action outside its computer networks to defend critical U.S. computer systems — a move that officials say would set a significant precedent."
• Economic Espionage:  The Manhattan District Attorney's Office charged a former Goldman Sachs programmer with state-law felonies of "unlawful use of secret scientific material and duplication of computer-related material" relating to the ex-programmer's alleged theft of secret source code from Goldman.  This same conduct was the basis of a federal prosecution that resulted, earlier this year, in reversal by the U.S. Court of Appeals for the Second Circuit (676 F.3d 71 (2d Cir. 2012)).  Also, a former Intel Corporation worker was sentenced in federal court to three years imprisonment for stealing proprietary information valued between $200 million and $400 million.
• Intellectual Property Theft:  The Chairman's staff of the Congressional Joint Economic Committee issued a report that "there has been a dramatic rise" in the number of foreign infringement of domestic intellectual property rights" in recent years, with the number of cases that the International Trade Commission is investigating increasing by 80.6 percent in 2010 and 23.2 percent in 2011.
• Internet Governance: Rebecca McKinnon of the New America Foundation wrote in Foreign Policy that "[a] number of countries, including Russia and China, have put forward proposals to regulate aspects of the Internet like 'crime' and 'security" that are currently unregulated at the 'global level due to lack of international consensus over what those terms actually mean or over how to balance enforcement with the protection of citizens' rights."  These efforts are associated with a larger effort by some countries to bring the Internet under the control of a United Nations agency, the International Telecommunications Union.
• Law Enforcement Cooperation: During her visit to South Africa, Secretary of State Hillary Rodham Clinton announced the creation of "a new cyber working group to identify the common cyber threats and national priorities to build capacity to fight cyber crime and coordinate in international forums."

In short, cybercrime touches many facets of the global economy and everyday life, and the consequences of successful cybercrime can be devastating to individuals, businesses, governments, and society as a whole.

5.  It's fun.  Not a sufficiently intellectual argument to whet your appetite?  Okay - Cybercrime law can be (1) intellectually satisfying to study because the legal and tech landscapes are in constant flux and require even tech-savvy lawyers to run very fast just to keep up, and (2) personally satisfying because in a wired world we can sense, much more than our parents' generation, that cybercrime can directly reach us -- our personal data, our relationships, our property -- through the iPhones, iPads, and other digital communications that are woven into our daily lives, and we can feel relatively more secure if we learn how best to respond to that threat.

That's why to study cybercrime.

Water, Water Everywhere ... But So Is The Net

Even as drought blankets more than three-fifths of the United States, a number of countries around the world have lately suffered from sudden and devastating overabundances of water.  Last month, what the New York Times termed "catastrophic flooding" led to 172 deaths in southern Russia, and "torrential rains" that deluged southern and western Japan caused the evacuation of 250,000 people and killed at least 27 people.  North Korea has also endured heavy flooding that reportedly caused hundreds of deaths and left 212,000 homeless. Within the past week, China has been hit by three typhoons.  In just the past day or two, the last of those, Typhoon Haikui, prompted the evacuation of nearly 2 million people in China and, thanks to a monsoon enhanced by Haikui, the Philippines endured "widespread flooding", including 20 inches of rain on Manila just yesterday, that forced more than 780,000 people to flee their homes.

While water and electronics don't usually mix, two of these disasters also brought to light what digital technology can do during and after the devastation to help those in need.  In Russia, "opposition leaders and civic activists" drew on online and street social networks to gather food, water, and medical supplies for flood and travel to flood-affected areas to help with cleanup efforts.  In the Philippines, Christine Hauser posted  on the New York Times's The Lede blog that "residents turned to social media to call out for help and to pinpoint with names and addresses the locations of those trapped," and Google set up a "People Finder", in English and Filipino, that allows people to post information whether they are looking for someone or have information about someone.

These types of initiatives are welcome and useful -- so long as there's no massive disruption of power for ISPs and disaster victims alike.  Unfortunately, maintenance of critical communications in major disasters requires not just resilience in the primary power grid but backup or independent power sources for both users and providers, whether battery-, diesel-, solar-, or even hand-powered.  Although Hurricane Katrina showed that (as ULL Professor Robert Henry put it) the Internet can be "less vulnerable to failure than other telecommunications links," Twitter won't tweet and Google won't -- well, google -- if there's no juice.

"It's Me, Grandma" -- The Growth of "Grandparent Scams"

For most of the last decade, Japan has been plagued with the so-called "It's me" scams (translated from "Ore ore sagi").  These are telephone-based fraud schemes in which the fraudster calls a person and pretends to be a younger relative who is in legal or other trouble and urgently needs money for bail, traffic fines, or hospital expenses.  (The scheme got its name from the caller saying, if the person appeared to sound older, "Grandma (or Grandpa), it's me."  If the person receiving the call then assumes it is their relative and responds accordingly, such as "Ichiro, is that you?", the caller then "confirms" his identity and seeks to persuade the call recipient to transfer money through a particular bank account.

Some empirical data about "It's me" schemes are available from a survey of victims that the Tokyo Metropolitan Police Department conducted between October and December 2011.  According to a report on the survey by the Japan Times, out of 323 cases, 75 percent involved the caller posing as the call recipient's son, and another 14 percent posing as the recipient's grandson.  The Tokyo Police also reported that 70 percent of victims lived alone or with their spouses and had never discussed the "It's me" fraud with their families.

This apparently simple scheme has proved surprisingly lucrative for fraudsters.  In 2011, according to the Japan Times, Japan's National Police Agency (NPA) reported that the fraud had increased by 34 percent from 2010 to yield ¥10.6 billion, equivalent to about US$138 million, and that more than 4,600 cases of such fraud had been recorded.  In 2012, the Tokyo Police stated that of the 340 "It's me" cases in Tokyo this year, the average amount stolen from victims was ¥3 million, equivalent to about US$12,800. 

Perhaps because this type of scam requires minimal preparation and skill of the criminal, while yielding substantial sums of money, some "It's me" scams reportedly were being run by Yakuza members.  More recently, as early as 2009 some "It's me" callers reportedly claimed to be Yakuza members and demanded money from the persons they called.  In 2011, in the aftermath of a major earthquake in northern Japan, the Telegraph reported that some callers pretended to be relatives who were earthquake victims and urgently needed funds.

Some have speculated that the scheme succeeds in Japan "because debt holds great shame." Yet since about 2008, "it's me" schemes began a dramatic surge, under the name "grandparent" or "emergency scams," in a variety of countries where debt has less cultural sensitivity, including the United States, Canada, and Australia:

• In the United States, victims span the country from New York to Florida to Hawaii.  So pervasive have these schemes become that numerous government and private-sector organizations -- including the AARP, the FBI, the State Department, MoneyGram, and the Canadian Anti-Fraud Centre -- have issued warnings to the public about them. Moreover, where "It's me" schemes were confined to Japan, "grandparent" schemes targeting U.S. residents can be traced to Canada, Spain, Mexico, and Nigeria, according to the New York State Attorney General's Office, and to the United Kingdom.
• Last year, according to the AARP, "more than 25,500 older Americans reported sending money" to grandparent schemes.  The typical amounts that these scams request from U.S. victims vary widely, but typically range from $1,000 to $4,000, as reflected in recent reports from California (jail/auto accident/court settlement pitch) and New York (bail money pitch). When the scammers seek to "reload" the victim -- that is, to find additional bases to request more money from the victim, such as lawyers or additional fees -- reported losses have risen to $8,100, $11,000 and even to nearly $90,000 in one case.
• Canada, too, has its share of victims from both domestic and international schemes. Victims there have publicly reported comparable loss ranges:CA$1,200 to $1,900, up to $5,900 and even $20,000 when the victims were reloaded.
• Australia has reported a surge in grandparent scams victimizing its residents.  One recent report by the Western Australia Department of Commerce listed fraud losses ranging from AU$3,000 to $30,000.  Particularly noteworthy in two of these cases was the apparent targeting of people who spoke Central European languages.  One victim who sent AU$30,000 was called by someone who spoke Serbian, the victim's first language, and claimed to be from the Australian Embassy in Belgrade.  Another victim, who spoke Croatian, sent AU$3,000 after the caller, who spoke fluent Croatian, claimed to be from the Croatian Embassy in Dubai.
• In general, single demands for higher amounts of money are less likely in this scheme, as the amount being requested presumably has to bear some reasonable relationship to the type of purported need for immediate assistance. One Florida resident reported that he became suspicious immediately when a scammer pretending to be the call recipient's granddaughter asked for $100,000 so she could get out of legal trouble in Las Vegas.

Law enforcement authorities, including in the United States and Canada, have shown that they are willing to pursue the cases.  Just two weeks ago, after parents and grandparents of students of the University of Texas at Austin got calls claiming that the students had been kidnapped or injured or needed medical attention and demanding small amounts of money, the University Police Department announced that it, the FBI, and the Joint Terrorism Task Force were investigating the calls.  Moreover, any defendants prosecuted in such a scheme would be unlikely to find sympathetic juries.  Just two months ago, a U.S. federal district judge sentenced two Montreal-based emergency scammers to two years imprisonment.

The key to effective law enforcement responses, however, is prompt reporting by the public.  So long as only about 8 percent of victims report the crime, according to Steve Baker, a regional director of the Federal Trade Commission, law enforcement will inevitably get a fragmented and misleading picture of the scope and extent of the problem.  Proactive public-service programs -- such as the Consumer Federation of America's consumer education campaign and the Japanese National Police Agency's advertising campaign against "It's me" schemes -- could help to encourage more reporting and fill the gaps in that picture.

Spanish Authorities Conduct Three Rounds of Arrests on Mass-Marketing Fraud Schemes

For some time, law enforcement authorities in numerous countries have closely tracked the growth of mass-marketing fraud rings that use Spain as a base of operations for lottery fraud and investment fraud. In recent months, several operations that Spanish authorities have mounted against these rings provide significant indications of the scale and methods of these groups.


First, the Spanish National Police announced that on March 12-13, with assistance from the United States Secret Service and the Canadian Anti-Fraud Centre, they arrested 23 individuals allegedly involved with a "Nigerian letter" scheme, as part of "Operacion Birte."  According to the National Police, the scheme sent thousands of letters each day to prospective victims, claiming that the recipients either were heirs to millions of dollars or had won a lottery.  Victims who responded were promised up to €75 million, but were told that they needed to pay various advance fees.  Victim losses reportedly ranged from €50,000 to €100,000 per victim, for total of about €2 million.  As part of the scheme, victims also were invited to travel to Madrid, where they were shown trunks supposedly containing the Euros they were to receive (a variation on the traditional "black money" scheme).  police also determined that the proceeds of the scheme were to be invested in building a three-story shopping center in Lagos, Nigeria.


In Operacion Birte, police arrested the 23 individuals in Madrid and in nine towns in the Madrid and Castilla la Mancha regions, conducted 12 searches in various locations, and seized numerous items, including three cars, 25 computers, cash, 90 cell phones and numerous phone cards, hundreds of names and addresses of U.S., U.K., and German residents, and substantial amounts of counterfeit Euros packed in a trunk.  The arrestees' nationalities included Spain, Nigeria, Equatorial Guinea, the Democratic Republic of the Congo, and Romania.


Second, the Guardia Civil announced on March 21 that in "Operation Magos," its Cybercrime Group had arrested eight individuals (six Nigerian, one Colombian, and One Spanish) in five towns in the Madrid region.  The arrests were in connection with a mass-marketing fraud scheme that targeted businessmen, offering them allegedly spurious business loans or investment opportunities.  As in the first scheme, victims were invited to come to Madrid and were shown trunks that purported to be filled with genuine currency, but were persuaded first to pay various taxes and fees.  Police estimated that the scheme had taken about €7 million from victims.  Searches conducted at the times of the arrests yielded more than 50 mobile telephones, fraudulent documentation, and hundreds of parcels wrapped in transparent film that were made to appear to contain $50 million.


Third, the Telegraph recently reported that Spanish police had "detained six people in Torrejon de Ardoz, near Madrid, and Malaga" for their alleged involvement in lottery fraud.  The scheme reportedly mailed out letters, principally to Italians, claiming that the recipients had won  €1 million but needed first to pay  €4,000 in administrative "fees."  Police stated that in 2012, nearly 500 victims (mainly Italians) lost money to the scheme, which directed the victims to send the money via bank or postal money transfers.


Police also reportedly seized 800 "Nigerian letters" ready for mailing, as well as 700 envelopes and   lists of possible victims.  In one search location in Torrejon de Ardoz, police stated that some members of the ring ""tried to flee through the window after flushing a large quantity of drugs down the toilet," and noted that "the network also trafficked narcotics."