Monthly Archives: June 2007

Cybercrime basics…

The term Cybercrime is broadly defined to include any criminal activity committed on the internet.  Almost everyone has at least a basic understanding about online identity theft, probably the most common cybercrime.  However, there appears to be considerable confusion regarding some of the other basic cybercrimes and their definitions.  I recently visited the website of a firm where the terms phishing and spoofing were incorrectly used interchangeably! 

Some of the most common cybercrimes are: 

Email spoofing – The forgery of an e-mail header in a manner that the message appears to have originated from somewhere other than the actual source.   Widely used by spammers, a spoofed e-mail may appear to be from a legitimate source asking for personal information, passwords, credit card numbers, etc. 

Phishing – The sending of an email to a recipient in an attempt to scam the recipient into revealing private information. The email contains a link to what appears the website of a legitimate enterprise but is only a fake version of the organization’s website.  When the recipient visits the fake website, the recipient is asked to update personal information, such as passwords and credit card, social security, and bank account numbers that the legitimate organization already has.

Cookie Poisoning – Some websites store cookies on your computer’s hard drive to authenticate your identity, speed up your transactions, monitor your behavior, and personalize your website experience. Cookie poisoning is the modification of a cookie by an attacker to gain unauthorized access to private information about the user.  The attacker may use this private information for identity theft and to gain access to the user’s existing accounts.

Wardriving – War driving is the process of traveling around using a Wi-Fi enabled computer looking for wireless access point signals that can be used to get network access.  The most common use of wardriving is to steal somebody else’s Internet access. 

Malware “malicious software” – The developing of a program or file that is harmful to a computer, including computer viruses, worms, Trojan horses, and spyware.

Pod Slurping – The unauthorized download of data from a computer to a storage device such as a MP3 player, flash drive or iPod.  This technique is commonly used by data thieves to steal contents from corporate computers.

Cyber stalking – Cyber stalking is a crime in which the attacker harasses a victim using electronic communications such as email, instant messaging, or forum posts. Unlike a spammer, a cyberstalker targets and usually threatens a specific victim.

CAN-SPAM Act: Non-compliance is a crime… and overzealous ISPs may refuse to deliver legally compliant email messages

On May 31, 2007, the BBC reported “U.S. Arrests Internet spam king” Robert Soloway.   (A copy of the Article can be found at: http://news.bbc.co.uk/2/hi/technology/6707333.stm).  

Mr. Soloway is accused of being “responsible for tens of millions of unsolicited e-mails promoting his own company between November 2003 and May 2007” in violation of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003.

The CAN-SPAM Act is codified under 15 U.S.C. § 7701-7713.  Contrary to the belief of many, the CAN-SPAM Act does not prohibit sending spam emails.  Instead, it imposes certain requirements.  These mandatory requirements include, inter alia, the use of accurate email subject lines and transmission information, opt-out procedures where recipients can elect not to receive additional emails fom the sender, mandatory timeframes for the removal of users who elect to opt-out, and a prohibition of improper email harvesting. 

But, what happens when a sender complies with all the requirements of CAN-SPAM?  Can an ISP still refuse to deliver compliant email messages to the intended recipients?

In White Buffalo Ventures, LLC v. University of Texas, 420 F.3d 366 (5th Cir. 2005), the Plaintiff, White Buffalo, was an online dating service operating several online dating websites, including one that targeted students of the University of Texas (UT).  White Buffalo obtained the “non-confidential, non-exempt email addresses” held by UT through a Public Information Act request. 

White Buffalo used these email addresses to send CAN-SPAN compliant commercial emails to members of the UT community. UT issued a cease and desist letter but White Buffalo refused to comply.  As a result, UT blocked all emails originating from White Buffalo’s IP address.

White Buffalo sued UT, arguing that the First Amendment and the CAN-SPAM Act precluded UT’s actions.  The Court disagreed and held that the CAN-SPAM Act does not prevent Internet Service Providers (ISPs), in this case UT, from filtering CAN-SPAM compliant commercial emails.

The lesson to senders of commercial email: Non-compliance with CAN-SPAM will probably result in criminal prosecution, but compliance does not guarantee that an overzealous ISP will deliver the legally compliant emails to its intended recipients.

Are domain names property or contractual rights, and why do we care?

Some courts have held that that domain names are property.  In Kremen v. Cohen, 337 F.3d 1024 (9th Cir. 2003), the plaintiff registered the domain name sex.com.  The registrar transferred the name to a different individual on the basis of a forged letter.  The Court reversed the district court’s holding that domain names were intangibles not subject to conversion.  The Court held that the registrar was subject to liability “for giving away someone else’s property.”  Id. at 1035.

Other courts, however, have concluded that “a domain name registration is the product of a contract for services between the registrar and registrant.”  Network Solutions, Inc. v. Umbro Int’l, Inc., 259 Va. 759, 770 (2000) (citing Dorer v. Arel, 60 F. Supp. 2d 558, 561 (E.D. Va. 1999)). 

If considered property rights, domain names would be subject to state property laws and state property causes of action, such as conversion, would be applicable.  However, if domain names confer only contractual rights, the nature of the protection afforded to the registrant would be quite different. 

Under ICANN rules, a domain name owner must intervene within five days to stop an inter-registry transfer request.  Therefore, whether a domain name is treated as property or as a contractual right can make a huge difference in the remedies available to victims of domain name hijacking who do not intervene within the five-day period prescribed by ICANN.