[ga] [RAA son of sb 1386

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

All,

The following likely has significant impact on RAA in regards to
registrar data and Whois.

>From the ABA security forum:

Perhaps it bear repeating but here is the relevant language (or, what I
take
to be the "relevant language") of the ID theft deterrence act of 1998 18

U.S.C. 1028:


"(7) knowingly transfers or uses, without lawful authority, a
means of identification of another person with the INTENT to
commit, or to aid or abet, any unlawful activity that constitutes
a violation of Federal law, or that constitutes a felony under any
applicable State or local law;"<<<<<< [emphasis added]

People have responded online, and offline, indicating their belief that
for
ID theft to occur there must be some further act, by the person, device,
or
entity that stole the information.  And indeed, state law, often,
requires
this 'further act' let's call it. But not federal law.

Perhaps this following analogy is helpful. Person is told they have,
possibly, been exposed to deadly chemical which, perhaps, might effect
them
in the future. The odds are very slim that they will indeed ever show
exposure, never mind, manifest the effects of the damge, but
nonetheless,
it's possible. If you were the individual in question would you seek
heightened medical monitoring over the course of decade or two? Perhaps.

Depends on cost etc.

Same scenario, only this time you are told you definitely have been
exposed...but the chances are, once again, very slim, that you will ever

manifest the effects.  Same cost benefit analysis as the first scenario?
I
doubt it.

In all the class action cases I have read the court held, and indeed,
seemingly, so did the plaintiff's counsel, that ID theft had not
occurred.
Damages were requested for fear of "future ID theft". IOW...returning to
the
analogy, plaintiff was arguing 'we are not sure we've been exposed...but
it
is possible". Court responses, 'fear of future ID theft is not enough to
get
by summary judgment. Take a hike'.

But try to find, in any of the cases I have read anyway, a definition of
ID
theft. Well, that's not surprising given that plaintiff has given that
argument away. It's not in the defendant's interest to note the
definition
in the federal statute.

As I have noted here, and I apologize in advance for repeating myself,
what
should be argued is 'the ID theft has occurred (exposure is confirmed)
according to the federal statute. If the court, or the defendant's
counsel
think that is a silly argument, let them change the language of the
statute.
So, therefore, what we are waiting for is for the other shoe to
drop....the
damages/loss to occur.

Sorry for going on so long, but to the question Adrian brings up
regarding
"uttering"..." The mere possession of the document was insufficient for
there to be a crime.  It was the uttering of the document for some
fraudulent purpose that was the crime. The same rational may be
appropriate
for the issue of ID Theft"

To the extent the CFAA has 'spoken' on this, one case, and one Senate
Conference Report shed a bit of light on the subject.

In the Senate Conference Report (See S.Rep. No. 99-432, at 6-7 (1986))
the
Senate noted " premise of this subsection is privacy protection", which
means, "in this context.mere observation of the data" is a violation of
(a)(2).....thus essentially defining the word "obtains", as it is used
in
(a)(2).  The Report went on to note that that "removal" of the data, or
"transcribing" the data need not be proven as an essential element of
the
violation .  This is a unique finding because, as the Report noted,
information is, essentially 'stolen' without "aspiration" .

In US v. Riggs et al (see 739 F.Supp. 414; 1990 U.S. Dist. LEXIS 6970)
the
court, when confronting a fact pattern that indicated 'hackers' had
accessed
a Bell South network and electronically transferred the information to a

electronic bulletin board. And thus Riggs became what I believe is the
first
reported case brought before the federal appeals court involving the
theft
of a computer text file across state lines by means of electronic
transfer.

The defendant tried to argue that statute, (in this case the National
Stolen
Property Act 18 U.S.C.S. Section 2314)did not cover the actions involved

here. IOW...Bell South was not deprived of "property" because "text
files"
were not property as that term was defined by the NSPA. Court
responded..that it was true that text file was not " "goods, ware, or
merchandise" as required by the statute's definition of "property".
But...

Court held that it is "well settled that when proprietary information is

affixed to some tangible medium" it meets the statutory definition of
property. Text files posted to an electronic bulletin board was a
tangible
medium, because, the court noted:

>>>>>>Although not printed out on paper, a more conventional form of
tangibility, the information in Bell South's E911 text file was
allegedly
stored on computer. Thus, by simply pressing a few buttons, Neidorf
could
recall that information from computer storage and view it on his
computer
terminal. The information was also accessible to others in the same
fashion
if they simply pressed the right buttons on their computer. This ability
to
access the information in viewable form from a reliable storage place
differentiates this case from the mere memorization of a formula..."

My read is, and like anyone's read, it is a subjective one, the
defendants
did not have to view  or possess the data, they merely had to have the
ability, the potential, to do so, and a violation occurred.

Perhaps Riggs has been overruled in the past year or so. I have not
researched over that time period.

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827