Wednesday, September 23, 2015

LendingTree, Unauthorized Access and the Computer Fraud and Abuse Act

After Brian Matthew Rich “entered into a conditional plea agreement” with the U.S. Department of Justice, he appealed.  Brief of Appellant, United States v. Rich, 2015 WL 860788 (U.S. Court of Appeals for the 4th Circuit 2015).  The brief he filed on appeal begins by explaining how, and why, the prosecution arose:
The essential facts of this case are undisputed. LendingTree LLC operates a mortgage brokering business that connects consumers interested in securing a mortgage loan with lenders willing to provide such loans. The model works as follows: A consumer seeking a mortgage loan initiates the process by submitting personal and financial data through online forms at LendingTree's website. This information, known as a `mortgage lead,’ is then provided to a set of lenders who ostensibly compete with each other to provide a loan to the consumer on favorable terms. . . .

To receive mortgage leads from LendingTree, a lender must become a member of the LendingTree Network. Doing so requires the lender to undergo a financial review, sign a contract, and pay a fee to LendingTree. After joining, a lender must then pay another fee for each mortgage lead it receives and yet another fee for each loan that it closes based on a LendingTree lead. . . .

Steve Rosene, a co-defendant in this case, was a part owner of Newport Lending Group (`NLG’). At all relevant times, NLG was a member of the LendingTree Network. . . . As a result, LendingTree provided NLG and Rosene with log-in credentials (consisting of a username and password) that permitted remote access to Lender Web Apex (`Apex’), a computer system through which lenders receive their mortgage lead information from LendingTree. . . .

Beginning in approximately 2005, Rosene entered into a side agreement with Jarrod Beddingfield, a LendingTree employee. . . . As an employee, Beddingfield was authorized to access the Apex system using administrator log-in credentials. . . . In exchange for payments from Rosene, Beddingfield provided Rosene with mortgage leads and preferential treatment that Rosene was not entitled to receive based on NLG's status within the LendingTree Network. . . . In addition, Beddingfield provided username and password information that permitted Rosene to gain administrator-level access to the Apex system, where he was able to obtain additional mortgage lead data. . . .

Brian Rich and Marcus Avritt were co-owners of Chapman Capital, Inc., which also operated under the business name of Home Loan Consultants. . . . Beginning in late 2006, Chapman paid Rosene to provide mortgage leads. . . . In January 2007, Chapman increased its monthly payments to Rosene in exchange for username and password information that permitted Chapman to log in to LendingTree's Apex system to retrieve mortgage lead information. . . .

In May 2007, Beddingfield was laid off from his position at LendingTree. . . . Several months later, in January 2008, the company discovered that its Apex system had been accessed in a manner inconsistent with company policy. . . .  As a result, LendingTree disabled the administrator log-in credentials that Beddingfield had previously provided to Rosene. . . . Beginning on January 7, 2008, attempts to access the Apex system using those credentials were unsuccessful. . . .
Brief of Appellant, supra at *4.
Rich’s appellate brief goes on to explain that
[b]ased on these facts, a grand jury in the Western District of North Carolina indicted Avritt, Beddingfield, Rich, and Rosene for several charges arising under 18 U.S. Code § 1030, often referred to as the Computer Fraud and Abuse Act (`CFAA’). . . . [A] person violates § 1030(a)(2) if he `intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . .  information from any protected computer.’ 18 U.S. Code § 1030(a)(2)(C). A related provision, § 1030(a)(4), creates a separate offense for any person who, `knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.’ Id. § 1030(a)(4).

The indictment charged all four defendants with conspiring to violate both § 1030(a)(2)(C) and § 1030(a)(4) by using `compromised’ administrator log-in credentials to access LendingTree's Apex computer system. . . . In addition, the indictment charged Rich (along with Avritt and Rosene) with 26 substantive counts of violating § 1030(a)(2)(C) and 26 substantive counts of violating § 1030(a)(4). . . .The substantive counts were based on alleged access to the Apex system on 26 specific dates between November 15, 2007, and January 4, 2008. . . .

Rich moved to dismiss the indictment for `failure to state an offense’ under Federal Rule of Criminal Procedure 12(b)(3)(B). He argued, among other things, that the facts alleged in the indictment did not establish a violation of the CFAA, as interpreted by WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (U.S. Court of Appeals for the 4th Circuit 2012). . . .

The district court denied Rich's motion because it concluded that `the indictment sufficiently alleges the essential elements of the offenses.’ . . . In reaching that conclusion, however, the court did not address the scope of § 1030 under this Court's decision in WEC Carolina. . . .
Brief of Appellant, supra at *5.
The brief also explains that the U.S. District Court Judge who had the case ultimately “imposed a low-end sentence of 24 months” on Rich. Brief of Appellant, supra at *5.
In his appeal, Rich argued that his case
presents a question about the scope of the Computer Fraud and Abuse Act (`CFAA’) that was left unanswered by WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (U.S. Court of Appeals for the 4th Circuit 2012). The CFAA makes it a criminal offense for a person to `access[ ] a computer without authorization’ for the purpose of `obtain[ing] . . . information’ or furthering a fraudulent scheme. 18 U.S. Code §§ 1030(a)(2)(C), (a)(4). In WEC Carolina, this Court `adopt [ed] a narrow reading’ of the CFAA's `unauthorized access element, holding that it was not satisfied where an employee obtained information from his company's computers and provided it to a third party in violation of company policy. WEC Carolina Energy Solutions LLC v. Miller, supra.
Brief of Appellant, supra at *1.
Rich’s brief goes on to argue that this
case presents a functionally equivalent scenario. In addition to providing confidential company information, a LendingTree employee also shared a password that allowed third parties (including the defendant, Brian Rich) to obtain additional information directly from the company's computer network. This Court should conclude that such shared-password access does not satisfy the CFAA's `unauthorized access’ element and that, therefore, the facts alleged here do not constitute a CFAA offense.

A contrary holding would convert the CFAA from an anti-hacking statute into a criminal prohibition on commonplace activities such as allowing a friend or family member to log in to your Facebook account. Congress cannot have intended the statute to have such a tremendously broad reach. See WEC Carolina Energy Solutions LLC v. Miller, supra, at 206 (rejecting CFAA interpretation that would produce `far-reaching effects unintended by Congress’); see also United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) (rejecting CFAA interpretation that would convert `millions of ordinary citizens’ into CFAA criminals).
Brief of Appellant, supra at *1 - *2.
Later, the brief develops this argument in more detail:
[a]pplying the reasoning of WEC Carolina Energy Solutions LLC v. Miller, supra, this Court should conclude that accessing a computer using a password shared by an employee of the computer's owner - the fact pattern alleged in this case - does not violate the CFAA. In WEC Carolina, the Court held that the scope of the CFAA's `unauthorized access’ element was sufficiently ambiguous that the rule of lenity required the Court to `adopt a narrow reading.’ WEC Carolina Energy Solutions LLC v. Miller, supra.

Likewise, here, the statute does `not clearly criminalize[ ]’ shared-password access because a person who uses a password shared by an agent or employee of the computer owner is acting with `authorization,’ as that word is commonly understand. [ sic]  WEC Carolina Energy Solutions LLC v. Miller, supra. In addition to the rule of lenity, at least two other principles of statutory interpretation support the conclusion that the CFAA's `unauthorized access’ element does not cover shared-password access. First, a contrary holding would produce absurd results, most notably by criminalizing a wide swath of innocuous conduct such as a husband allowing his wife to check his email account or a parent logging in to monitor her children's activities on social media sites like Facebook or Snapchat.

Second, because the statute fails to provide the public with fair notice that shared-password access violates the `unauthorized access’ provisions, such a broad interpretation would render those provisions unconstitutionally vague as applied here. See United States v. Drew, 259 F.R.D. 449 (U.S. District Court for the Central District of California 2009) (holding that the government's broad interpretation of § 1030(a)(2)(C) renders that provision unconstitutionally vague). Thus, under the canon of constitutional avoidance, the Court should adopt the narrower interpretation.

As suggested by WEC Carolina, this Court should hold that the CFAA's `unauthorized access’ element prohibits computer hacking, such as the use of a worm or virus to access a computer without the permission of an agent or employee of the computer owner. Accordingly, the Court should reverse Rich's conviction and remand for dismissal of the indictment.
Brief of Appellant, supra at *7 - *8.
Unfortunately for Rich, the U.S. Court of Appeals for the 4th Circuit did not buy his arguments.  United States v. Rich, supra.  The Court of Appeals began its very brief opinion by explaining, initially, that
`[w]here, as here, a district court's denial of a motion to dismiss an indictment depends solely on a question of law, we review the district court's ruling de novo.’ United States v. Bridges, 741 F.3d 464 (U.S. Court of Appeals for the 4th Circuit 2014). A federal indictment must contain the elements of the offense charged, fairly inform the defendant of the charge, and enable the defendant to plead double jeopardy as a defense to future prosecutions for the same offense. United States v. Resendiz–Ponce, 549 U.S. 102, 108 (2007); see Federal Rule of CriminalProcedure 7(c)(1).  

Rich's sole challenge to the indictment is that it failed to allege that the conspirators lacked authorization to access LendingTree's network. With respect to this element, the indictment was required to allege that the conspirators agreed to either access a protected computer without authorization or exceed authorized access. See United States v. Moussaoui, 591 F.3d 263, 296 (U.S. Court of Appeals for the 4th Circuit 2010) (stating elements of conspiracy); 18 U.S.C. § 1030(a)(2)(C) (stating requirements of CFAA).
United States v. Rich, supra. 
The Court of Appeals then addressed the specifics of Rich’s argument:
Rich argues that the factual summary accompanying his plea agreement indicates that the conspirators accessed LendingTree's network solely through administrator log-in credentials validly possessed by a coconspirator, and that such “password sharing” does not violate the CFAA. See WEC Carolina Energy Sols. LLP v. Miller, 687 F.3d 199 (U.S. Court of Appeals for the 4th Circuit 2012) (holding CFAA criminalizes obtaining or altering information individual lacked authorization to obtain or alter). We cannot consider this factual summary in reviewing the denial of a motion to dismiss, but must instead constrain our review `to the allegations contained in the indictment'. United States v. Engle, 676 F.3d 405 (U.S. Court of Appeals for the 4th Circuit 2012).

We decline to reach Rich's argument regarding the scope of the CFAA because even assuming, per arguendo, that Rich's interpretation is correct, the indictment was sufficient to state an offense.

The indictment alleges that the conspirators `accessed without authorization and exceeded authorized access to one or more LendingTree Network protected computers . . .  through the use of compromised LendingTree administrator log-in credentials.’ To the extent Rich argues that the indictment allows for the possibility that a coconspirator possessed valid log-in credentials, this possibility does not render the indictment deficient. The indictment clearly states that the access was `unauthorized’ and that the log-in credentials used were `compromised.’

Because we find that the indictment sufficiently alleges that the conspirators intended to access LendingTree's network without authorization, we conclude that the district court did not err in denying Rich's motion to dismiss.
United States v. Rich, supra.  The court therefore affirmed the judgment of the district court.  United States v. Rich, supra. 

You can, if you are interested, read more about this case and the investigation that led to it and other indictments in the news stories you can find here, here and here.

No comments: