United States v. Ivanov

United States v. Ivanov was an American court case addressing subject-matter jurisdiction for computer crimes performed by Internet users outside of the United States against American businesses and infrastructure. In trial court, Aleksey Vladimirovich Ivanov of Chelyabinsk, Russia was indicted for conspiracy, computer fraud, extortion, and possession of illegal access devices; all crimes committed against the Online Information Bureau (OIB) whose business and infrastructure were based in Vernon, Connecticut.

United States of America v. Aleksey Vladimirovich Ivanov
CourtUnited States District Court for the District of Connecticut
DecidedDecember 6, 2001 (2001-12-06)
Case history
Prior actionsIvanov was indicted for charges of conspiracy, computer fraud, extortion, and possession of illegal access devices. Ivanov motioned to dismiss, arguing the court lacked subject-matter jurisdiction.
Subsequent actionIvanov was sentenced to 48 months in prison in the United States.
Holding
Ivanov's motion for dismissal was denied.
Court membership
Judge sittingAlvin W. Thompson
Keywords
Subject-matter jurisdiction Legal aspects of computing Cybercrime

Ivanov moved to dismiss the indictment, claiming that the court lacked subject-matter jurisdiction, arguing that "because he was physically located in Russia when the offenses were committed, he can not be charged with violations of United States law."[1] The court denied Ivanov's motion, "first, because the intended and actual detrimental effects of Ivanov's actions in Russia occurred within the United States, and second, because each of the statutes under which Ivanov was charged with a substantive offense was intended by Congress to apply extraterritorially."[1]

In a later ruling, Ivanov pleaded guilty to several crimes, including computer intrusion and computer fraud, and was sentenced to 48 months in prison followed by 3 months of supervised release.[2]

Background

edit

Unlawful access and FBI capture

edit

Ivanov attracted FBI attention in the Fall of 1999, when internet service provider (ISP) Speakeasy discovered their network had been compromised and informed the Seattle branch of the FBI. In early 2000, OIB also detected an attack and notified the FBI in Connecticut. Between late 1999 and early 2000, other large Internet corporations including CD Universe, Yahoo, and eBay also experienced similar attacks to Speakeasy and OIB.[3] Computer forensics determined the Internet traffic for all attacks originated from the same machine in Russia.[3] After linking his online alias "subbsta" and his resume,[4] the FBI determined Ivanov's identity and initiated a sting operation to lure him to the United States for arrest.

The FBI constructed a false computer security company, Invita, in Seattle, Washington and invited Ivanov to interview for a position on November 10, 2000.[5] Ivanov's interview involved hacking an FBI controlled honeypot. While Ivanov was hacking the FBI honeypot, all keystrokes and network traffic were recorded as potential evidence.[6] In addition, the FBI made video and audio recordings of the entire interview process. After Ivanov successfully gained access to the FBI honeypot, he was arrested.[6] The FBI used the recorded keystrokes and network traffic log to access the intermediary computers Ivanov used in Russia.

When the FBI accessed Ivanov's machines, they found folders with data corresponding to the companies he had remotely attacked. Over 2.3 GB of data was recovered from Ivanov's machines, including the tools used to gain illegal access and scripts that referenced companies that had been attacked.[7]

Attack on OIB

edit

Ivanov obtained superuser (root) access to OIB machines. By gaining root access to OIB's machines, Ivanov was effectively able to "control the data, e.g. credit card numbers and merchant account numbers, stored in OIB computers."[1] After gaining access to OIB's systems, Ivanov contacted OIB using his online handle "subbsta", offering security assistance in exchange for $10,000. OIB refused to pay Ivanov which resulted in a final email: "now imagine please Somebody hack you network (and not notify you about this), he downloaded Atomic software with more than 300 merchants, transfer money, and after this did 'rm –rf' and after this you company be ruined. I don't want this, and because this I notify you about possible hack in you network, if you want you can hire me and im always check security in you network. What you think about this."[1]

Trials

edit

Indictment

edit

When brought to trial in Connecticut, Ivanov was indicted on eight counts, six of which Ivanov appealed:

  • Count one charged Ivanov with conspiracy to commit computer fraud in violation of 18 U.S.C. § 371.[1]
  • Charges two, three and six all alleged that Ivanov's activity violated 18 U.S.C. § 1030, the Computer Fraud and Abuse Act. The government alleged that Ivanov knowingly accessed OIB's computers with intent to defraud and intentionally accessed OIB's machines with intent to collect information.[1]
  • Count six alleged Ivanov "transmitted in interstate and foreign commerce communications containing a threat to cause damage to protected computers owned by OIB."[1]
  • Count seven charged Ivanov with disrupting commerce by means of extortion in violation of 18 U.S.C. § 1051.[1]
  • Count eight charged Ivanov with possession of "unauthorized accesses devices" in violation of 18 U.S.C. § 1029, which regulates fraud in connection with access devices.[1]

Ivanov was subject to up to ninety years in prison if found guilty on all counts.[6]

Ivanov's appeal

edit

After his indictment, Ivanov filed for a motion to dismiss all charges because "he was physically located in Russia when the offenses were committed" and thus "he can not be charged with violations of United States law."[1] The district court denied his appeal following two trains of logic: "first, because the intended and actual detrimental effects of Ivanov's actions in Russia occurred within the United States, and second, because each of the statutes under which Ivanov was charged with a substantive offense was intended by congress to apply extraterritorially."[1]

The court argued that previous cases provided precedent for applying subject matter jurisdiction extraterritorially, so long as the "intended and detrimental effects" occurred within jurisdiction. The court cited United States v. Muench as stating, "the intent to cause effects within the United States... makes it reasonable to apply to persons outside United States territory a statute which is not expressly extraterritorial in scope."[1] The court also cited United States v. Steinberg in claiming, "it has long been a commonplace of criminal liability that a person may be charged in the place where the evil results, even though he is beyond the jurisdiction where he starts the train of events of which the evil is the fruit."[1]

The court then argued that the detrimental effects of Ivanov's attacks indeed took place in the United States, stating, "the fact the computers were accessed by means of a complex process initiated and controlled from a remote location does not alter the fact that the accessing of the computers, i.e, part of the detrimental effect prohibited by the statute, occurred at the place where the computers were physically located, namely OIB's place of business in Vernon, Connecticut."[1]

In a second argument, the court stated that regardless of the previous logic, "to each of the statutes under which the defendant has been indicted for a substantive offense, there is clear evidence that the statute was intended to apply extraterritorially."[1] The court then enumerated each of Ivanov's alleged offenses, the laws they referenced, and the specific language in the laws that implied extraterritorial application.

Following these arguments, the court denied Ivanov's motion to dismiss.

Subsequent rulings

edit

Ivanov later pleaded guilty to several of the charges, including computer intrusion and computer fraud, and was sentenced to 48 months in prison followed by 3 months of supervised release.[2]

Ivanov's crimes were not limited to Connecticut. He was also prosecuted and convicted in Washington,[8] New Jersey,[9] and California[10] for similar crimes. In total, Ivanov was tried in five district courts, more than any other case listed on the United States Department of Justice listing of computer crimes.[11]

Impact

edit

Although the court ruled that the laws which Ivanov violated already extended extraterritorially, the USA PATRIOT Act increased the scope of the Computer Fraud and Abuse Act to expressly cover machines outside the United States.[12]

References

edit
  1. ^ a b c d e f g h i j k l m n o United States v. Ivanov, 175 F. Supp. 2d 36 (US District Court for the District of Connecticut 2001).
  2. ^ a b Newcomb, Penny. "Russian Man Sentenced for Hacking into Computers in the United States". U.S. Department of Justice. Retrieved February 6, 2012.
  3. ^ a b Traore, Issa. "Chapter 8: Computer Forensics" (PDF). University of Victoria. Retrieved February 6, 2012.
  4. ^ "Cached copy of Ivanov's resume". mail-index.netbsd.org.
  5. ^ "RUSSIAN NATIONAL ARRESTED AND INDICTED FOR PENETRATING U.S. CORPORATE COMPUTER NETWORKS, STEALING CREDIT CARD NUMBERS, AND EXTORTING THE COMPANIES BY THREATENING TO DAMAGE THEIR COMPUTERS". cybercrime.gov.
  6. ^ a b c "A hacker story". crime-research.org. CIO Asia. Retrieved February 6, 2012.
  7. ^ Attfield, Philip (2005). "United States v Gorshkov Detailed Forensics and Case Study; Expert Witness Perspective". First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05). Institute of Electrical and Electronics Engineers. pp. 3–26. doi:10.1109/SADFE.2005.28. ISBN 0-7695-2478-8. A warrant was granted to the FBI 10 days after the download
  8. ^ "Russian Computer Hacker Convicted by Jury". justice.gov. Retrieved February 18, 2012.
  9. ^ "United States v Alexey V.Ivanov". cybercrime.gov. Retrieved February 18, 2012.
  10. ^ "RUSSIAN COMPUTER HACKER INDICTED IN CALIFORNIA FOR BREAKING INTO COMPUTER SYSTEMS AND EXTORTING VICTIM COMPANIES". cybercrime.gov. Archived from the original on June 25, 2001. Retrieved February 18, 2012.
  11. ^ "Computer Crime and Intellectual Property Section". United States Department of Justice. Retrieved February 18, 2012.
  12. ^ Lemley, Mark; Menell, Peter; Merges, Robert; Samuelson, Pamela; Carver, Brian (2011). Software and Internet Law (4th ed.). ISBN 978-0-7355-8915-5.
edit