DOJ’s recent news release about Yevgeniy Nikulin, a visitor to Czech Republic from Russia, adds a new country to Mr. Nikulin’s travel itinerary: the United States of America. Instead of a tourist visa, the document allowing the U.S. visit would be a grand jury indictment for allegedly hacking computers of LinkedIn, Dropbox and Formspring. List of countries with which the United States has extradition agreements is a public information, freely available to anyone, and codified under 18 U.S.C. § 3181. Unofficial, but more colorful version is also available on Wikipedia. Russian Federation is not on the list. But, Czech Republic extradition history with the U.S. goes back to 1925. Recent confirmation of US-Czech extradition friendship is Treaty Doc. 109-14 (Agreement to ensure conformity with U.S.-EU Extradition Treaty), placed Czech Republic.
Perhaps, more interesting are the the charges that Mr. Nikulin faces, because these apply to anyone (within and without U.S.). According to the indictment, these are: 18 U.S.C. §§ 371, 1028A(a)(1), 1029(a)(2), 1030(a)(2)(C), 1030(a)(5)(A).
Fraud and related activity in connection with computers
18 U.S.C. § 1030(a)(2)(C) states:
Whoever—
* * *
intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
* * *
information from any protected computer;
* * *
shall be punished as provided in subsection (c) [a fine under this title or imprisonment for not more than one year, or both; or 5 years for commercial advantage/$5000 value of info] of this section.
18 U.S.C. § 1030(a)(2)(C) is written broadly, and serves as a reminder to anyone of using proper means of access for electronic information. In case of attorneys dealing with their clients, who may come to attorneys with evidence obtained through electronic means, it is important to find out how the information was derived and use that information carefully. According to the statute, the elements of offense are (1) intentional access, (2) no authorization or excess thereof, (3) protected computer and (4) information from that computer. That’s it! So if you are a jealous individual experiencing doubts about your significant other and secretly (without consent) checking his/her emails, you may be committing a crime carrying maximum prison sentence of 1 year!
U.S. prosecution team, also added a charge of 18 U.S.C. § 1030(a)(5)(A) stating:
Whoever-
* * *
knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
* * *
shall be punished as provided in subsection (c) [imprisonment for not more than 10 years] of this section.
Here, the interesting part is the “damage” clause. What is damage? In case of Mr. Nikylin, allegations state that damage in the following form: “caused damage to computers belonging to a LinkedIn employee and to Formspring by transmitting a program, information, code, or command.” It seems like, messing with someone’s program or placing something foreign can constitute damage. Again, broadly written language with potential 10 year incarceration consequence.
Aggravated identity theft
18 U.S.C. § 1028A(a)(1) states:
Whoever, during and in relation to any felony violation enumerated in subsection (c) [which includes above mentioned 18 U.S.C. § 1030], knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
Here, prosecution team states that Mr. Nikylin “used the credentials of LinkedIn and Formspring employees in connection with the computer intrusions.”
Fraud and related activity in connection with access devices
18 U.S.C. § 1029(a)(2) states:
Whoever—
* * *
knowingly and with intent to defraud traffics in or uses one or more unauthorized access devices during any one-year period, and by such conduct obtains anything of value aggregating $1,000 or more during that period;
* * *
shall, if the offense affects interstate or foreign commerce, be punished as provided in subsection (c) [imprisonment for not more than 10 years] of this section
Here, it is the value of information that is at stake (“he obtained information from the computers”).
Conspiracy to commit offense or to defraud United States
18 U.S.C. § 371 is commonly invoked by prosecution and can be used for “any offense against the United States” such as above mentioned offenses. Here it is the conspiracy part that is interesting. According to the release, “[t]he prosecution is the result of an investigation by the FBI with the assistance of authorities in the Czech Republic.” So it is possible that FBI agent acted as a “friend” to “further” conspiracy of computer hack.