United States v. Ivanov

United States v. Ivanov was an American court case addressing subject-matter jurisdiction for computer crimes performed by Internet users outside of the United States against American businesses and infrastructure. In trial court, Aleksey Vladimirovich Ivanov of Chelyabinsk, Russia was indicted for conspiracy, computer fraud, extortion, and possession of illegal access devices; all crimes committed against the Online Information Bureau (OIB) whose business and infrastructure were based in Vernon, Connecticut.

Ivanov moved to dismiss the indictment, claiming that the court lacked subject-matter jurisdiction, arguing that "because he was physically located in Russia when the offenses were committed, he can not be charged with violations of United States law." The court denied Ivanov's motion, "first, because the intended and actual detrimental effects of Ivanov's actions in Russia occurred within the United States, and second, because each of the statutes under which Ivanov was charged with a substantive offense was intended by Congress to apply extraterritorially."

In a later ruling, Ivanov pleaded guilty to several crimes, including computer intrusion and computer fraud, and was sentenced to 48 months in prison followed by 3 months of supervised release.

Unlawful access and FBI capture
Ivanov attracted FBI attention in the Fall of 1999, when internet service provider (ISP) Speakeasy discovered their network had been compromised and informed the Seattle branch of the FBI. In early 2000, OIB also detected an attack and notified the FBI in Connecticut. Between late 1999 and early 2000, other large Internet corporations including CD Universe, Yahoo, and eBay also experienced similar attacks to Speakeasy and OIB. Computer forensics determined the Internet traffic for all attacks originated from the same machine in Russia. After linking his online alias "subbsta" and his resume, the FBI determined Ivanov's identity and initiated a sting operation to lure him to the United States for arrest.

The FBI constructed a false computer security company, Invita, in Seattle, Washington and invited Ivanov to interview for a position on November 10, 2000. Ivanov's interview involved hacking an FBI controlled honeypot. While Ivanov was hacking the FBI honeypot, all keystrokes and network traffic were recorded as potential evidence. In addition, the FBI made video and audio recordings of the entire interview process. After Ivanov successfully gained access to the FBI honeypot, he was arrested. The FBI used the recorded keystrokes and network traffic log to access the intermediary computers Ivanov used in Russia.

When the FBI accessed Ivanov's machines, they found folders with data corresponding to the companies he had remotely attacked. Over 2.3 GB of data was recovered from Ivanov's machines, including the tools used to gain illegal access and scripts that referenced companies that had been attacked.

Attack on OIB
Ivanov obtained superuser (root) access to OIB machines. By gaining root access to OIB's machines, Ivanov was effectively able to "control the data, e.g. credit card numbers and merchant account numbers, stored in OIB computers." After gaining access to OIB's systems, Ivanov contacted OIB using his online handle "subbsta", offering security assistance in exchange for $10,000. OIB refused to pay Ivanov which resulted in a final email: "now imagine please Somebody hack you network (and not notify you about this), he downloaded Atomic software with more than 300 merchants, transfer money, and after this did 'rm –rf' and after this you company be ruined. I don't want this, and because this I notify you about possible hack in you network, if you want you can hire me and im always check security in you network. What you think about this."

Indictment
When brought to trial in Connecticut, Ivanov was indicted on eight counts, six of which Ivanov appealed:
 * Count one charged Ivanov with conspiracy to commit computer fraud in violation of.
 * Charges two, three and six all alleged that Ivanov's activity violated, the Computer Fraud and Abuse Act. The government alleged that Ivanov knowingly accessed OIB's computers with intent to defraud and intentionally accessed OIB's machines with intent to collect information.
 * Count six alleged Ivanov "transmitted in interstate and foreign commerce communications containing a threat to cause damage to protected computers owned by OIB."
 * Count seven charged Ivanov with disrupting commerce by means of extortion in violation of.
 * Count eight charged Ivanov with possession of "unauthorized accesses devices" in violation of, which regulates fraud in connection with access devices.

Ivanov was subject to up to ninety years in prison if found guilty on all counts.

Ivanov's appeal
After his indictment, Ivanov filed for a motion to dismiss all charges because "he was physically located in Russia when the offenses were committed" and thus "he can not be charged with violations of United States law." The district court denied his appeal following two trains of logic: "first, because the intended and actual detrimental effects of Ivanov's actions in Russia occurred within the United States, and second, because each of the statutes under which Ivanov was charged with a substantive offense was intended by congress to apply extraterritorially."

The court argued that previous cases provided precedent for applying subject matter jurisdiction extraterritorially, so long as the "intended and detrimental effects" occurred within jurisdiction. The court cited United States v. Muench as stating, "the intent to cause effects within the United States... makes it reasonable to apply to persons outside United States territory a statute which is not expressly extraterritorial in scope." The court also cited United States v. Steinberg in claiming, "it has long been a commonplace of criminal liability that a person may be charged in the place where the evil results, even though he is beyond the jurisdiction where he starts the train of events of which the evil is the fruit."

The court then argued that the detrimental effects of Ivanov's attacks indeed took place in the United States, stating, "the fact the computers were accessed by means of a complex process initiated and controlled from a remote location does not alter the fact that the accessing of the computers, i.e, part of the detrimental effect prohibited by the statute, occurred at the place where the computers were physically located, namely OIB's place of business in Vernon, Connecticut."

In a second argument, the court stated that regardless of the previous logic, "to each of the statutes under which the defendant has been indicted for a substantive offense, there is clear evidence that the statute was intended to apply extraterritorially." The court then enumerated each of Ivanov's alleged offenses, the laws they referenced, and the specific language in the laws that implied extraterritorial application.

Following these arguments, the court denied Ivanov's motion to dismiss.

Subsequent rulings
Ivanov later pleaded guilty to several of the charges, including computer intrusion and computer fraud, and was sentenced to 48 months in prison followed by 3 months of supervised release.

Ivanov's crimes were not limited to Connecticut. He was also prosecuted and convicted in Washington, New Jersey, and California for similar crimes. In total, Ivanov was tried in five district courts, more than any other case listed on the United States Department of Justice listing of computer crimes.

Impact
Although the court ruled that the laws which Ivanov violated already extended extraterritorially, the USA PATRIOT Act increased the scope of the Computer Fraud and Abuse Act to expressly cover machines outside the United States.