Prof. Tom W. Bell
Wednesday, May 10, 2000
1:00 p.m. to 4:00 p.m.
YOUR EXAM NUMBER: _________
This exam consists of 4 essay questions. You have three hours in which to outline and write your answers. Please write your exam number above and turn in this exam with your answers.
This is an open book exam. You may use any material that I assigned for class reading and any notes that you or your study group prepared. You may not use any other materials, such as nutshells or commercial outlines. You may not use a computer or access the Internet.
Each question counts for 25% of your grade for this exam, so I advise you to allocate your time accordingly. I strongly suggest that before you begin writing an answer you: 1) read the question carefully; 2) think about exactly which issues you need to address; and 3) outline your answer. Good organization and good analysis almost always go hand-in-hand.
Start your answer to each essay question in a new booklet and number the booklets so that I can easily follow their intended sequence. Write on one side only of each page, on every other line. For your benefit and my eyesight, please write as legibly as possible. I cannot grade what I cannot read.
Unless otherwise indicated, all events described below take place in California. If you think it necessary to assume a fact in order to answer a question you may do so, but you should clearly indicate that you are making an assumption and briefly explain why you think it reasonable to do so. Please see the attached appendix for some helpful statutory materials.
If you have any procedural questions about taking this exam, please ask them now or contact me in my office during the exam.
In January, 2000, one "A-Bomb" (his/her actual identity being at that time unknown) wrote the "Crush" virus and released it on the Internet. Here is how the Crush virus works:
1) A victim receives an email having the subject line "I've got a crush on you!"
2) Because the text of the email claims that the attached file includes "an interesting photo," the gullible victim opens the file.
3) Rather than a photo, the attached file includes a virus program that, on computers lacking proper security measures, sends identical emails and attachments to every address stored in the victim's email program.
4) The Crush virus then corrupts a variety of files on the victim's computer, causing it to crash and lose data.
The Crush virus caused a great deal of harm to state, federal, and private computers throughout the United States. The following questions concern what response, if any, the legal process offers.
25% of exam's total grade
(suggested time: 45 minutes)
Suppose that you represent the U.S. government and that your security experts assure you that they have traced the Crush virus to one Kim Craft, an employee of Amazon.com. They further assure you that Craft (a.k.a., "A-Bomb") used Amazon.com's computing and telecommunication resources (albeit without Amazon.com's permission) to write and distribute the virus.
A. You want to bring a criminal suit in a Seattle-based federal court against Craft. Discuss your causes of action.
B. You want to raid the offices of Amazon.com to obtain evidence relevant to your prosecution. You have a warrant to search for, seize, and read information stored on any computer used by Craft. You of course hope to find information showing how Craft created and distributed the virus. Note that Craft is responsible for compiling and editing the book reviews that Amazon.com posts on its webpages. Discuss how relevant provisions of federal law might affect your search and seizure.
25% of exam's total grade
(suggested time: 45 minutes)
Suppose that you represent a California corporation and that your security experts assure you that they have traced the Crush virus to one Kim Craft, an employee of Amazon.com. They further assure you that Craft (a.k.a., "A-Bomb") used Amazon.com's computing and telecommunication resources (albeit without Amazon.com's permission) to write and distribute the virus. You want to bring a civil suit in a California court against both Craft and Amazon.com. Discuss the jurisdictional issues and your causes of action.
25% of exam's total grade
(suggested time: 45 minutes)
Suppose that you represent MySP.com, a large internet service provider (ISP), and that your security experts assure you that they have traced the Crush virus to one Kim Craft, an employee of Amazon.com. Because MySP.com wanted to protect its customers, it posted on its homepage background information about the Crush virus and directions on how to avoid being infected by it. The background information alleged that Craft created the virus. Craft, now defending herself against both criminal and civil charges, claims that she did not author the virus. She brings suit against MySP.com for defamation. Discuss your prospects of winning a motion for summary judgment.
25% of exam's total grade
(suggested time: 45 minutes)
A local group of hackers impressed by A-Bomb's virus-writing skills has registered the CRUSH.NET domain name with Network Solutions, rented space on a server in Irvine, and posted at WWW.CRUSH.NET information about the Crush virus. Their webpage includes the source code of the virus and instructions on how to implement it, allowing aspiring virus-writers to create new and better variations on the Crush virus.
A. As the California Attorney General, you want to enjoin CRUSH.NET from publishing information about how to create variations on the Crush virus. Discuss how the First Amendment will affect your effort.
B. You serve as counsel for the Crush Cola Company, manufacturer of the Orange Crush, Strawberry Crush, and Grape Crush soft drinks, holder of registered trademarks in those same names, and owner of the CRUSH.COM domain name. You want to shut down CRUSH.NET. Discuss whether and how you might do so via legal means.
Computer Fraud and Abuse Act, 18 USC § 1030 (2000)
(a) Whoever -
(1) having knowingly accessed a computer without authorization
or exceeding authorized access, and by means of such conduct
having obtained information that has been determined by the
United States Government pursuant to an Executive order or
statute to require protection against unauthorized disclosure for
reasons of national defense or foreign relations, or any
restricted data, as defined in paragraph y. of section 11 of the
Atomic Energy Act of 1954, with reason to believe that such
information so obtained could be used to the injury of the United
States, or to the advantage of any foreign nation willfully
communicates, delivers, transmits, or causes to be communicated,
delivered, or transmitted, or attempts to communicate, deliver,
transmit or cause to be communicated, delivered, or transmitted
the same to any person not entitled to receive it, or willfully
retains the same and fails to deliver it to the officer or
employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or
exceeds authorized access, and thereby obtains -
(A) information contained in a financial record of a
financial institution, or of a card issuer as defined in
section 1602(n) of title 15, or contained in a file of a
consumer reporting agency on a consumer, as such terms are
defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.);
(B) information from any department or agency of the United
States; or
(C) information from any protected computer if the conduct
involved an interstate or foreign communication;
(3) intentionally, without authorization to access any
nonpublic computer of a department or agency of the United
States, accesses such a computer of that department or agency
that is exclusively for the use of the Government of the United
States or, in the case of a computer not exclusively for such
use, is used by or for the Government of the United States and
such conduct affects that use by or for the Government of the
United States;
(4) knowingly and with intent to defraud, accesses a protected
computer without authorization, or exceeds authorized access, and
by means of such conduct furthers the intended fraud and obtains
anything of value, unless the object of the fraud and the thing
obtained consists only of the use of the computer and the value
of such use is not more than $5,000 in any 1-year period;
(5)
(A) knowingly causes the transmission of a program,
information, code, or command, and as a result of such
conduct, intentionally causes damage without authorization, to
a protected computer;
(B) intentionally accesses a protected computer without
authorization, and as a result of such conduct, recklessly
causes damage; or
(C) intentionally accesses a protected computer without
authorization, and as a result of such conduct, causes damage;
(6) knowingly and with intent to defraud traffics (as defined
in section 1029) in any password or similar information through
which a computer may be accessed without authorization, if -
(A) such trafficking affects interstate or foreign commerce;
or
(B) such computer is used by or for the Government of the
United States; [1]
(7) with intent to extort from any person, firm, association,
educational institution, financial institution, government
entity, or other legal entity, any money or other thing of value,
transmits in interstate or foreign commerce any communication
containing any threat to cause damage to a protected computer;
shall be punished as provided in subsection (c) of this section.
(b) Whoever attempts to commit an offense under subsection (a) of this
section shall be punished as provided in subsection (c) of this section.
(c) The punishment for an offense under subsection (a) or (b) of this
section is -
(1)
(A) a fine under this title or imprisonment for not more
than ten years, or both, in the case of an offense under
subsection (a)(1) of this section which does not occur after a
conviction for another offense under this section, or an
attempt to commit an offense punishable under this
subparagraph; and
(B) a fine under this title or imprisonment for not more than
twenty years, or both, in the case of an offense under
subsection (a)(1) of this section which occurs after a
conviction for another offense under this section, or an
attempt to commit an offense punishable under this
subparagraph;
(2)
(A) a fine under this title or imprisonment for not more
than one year, or both, in the case of an offense under
subsection (a)(2), (a)(3), (a)(5)(C), or (a)(6) of this section
which does not occur after a conviction for another offense
under this section, or an attempt to commit an offense
punishable under this subparagraph; and [2]
(B) a fine under this title or imprisonment for not more than 5
years, or both, in the case of an offense under subsection
(a)(2), if -
(i) the offense was committed for purposes of commercial
advantage or private financial gain;
(ii) the offense was committed in furtherance of any
criminal or tortious act in violation of the Constitution
or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000;
[3]
(C) a fine under this title or imprisonment for not more than
ten years, or both, in the case of an offense under subsection
(a)(2), (a)(3) or (a)(6) of this section which occurs after a
conviction for another offense under this section, or an
attempt to commit an offense punishable under this
subparagraph; and
(3) (A) a fine under this title or imprisonment for not more
than five years, or both, in the case of an offense under
subsection (a)(4), (a)(5)(A), (a)(5)(B), or (a)(7) of this
section which does not occur after a conviction for another
offense under this section, or an attempt to commit an offense
punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than
ten years, or both, in the case of an offense under subsection
(a)(4), (a)(5)(A), (a)(5)(B), (a)(5)(C), or (a)(7) of this
section which occurs after a conviction for another offense
under this section, or an attempt to commit an offense
punishable under this subparagraph; and [4]
. . .
(e) As used in this section -
. . .
(2) the term "protected computer" means a computer -
(A) exclusively for the use of a financial institution or the
United States Government, or, in the case of a computer not
exclusively for such use, used by or for a financial
institution or the United States Government and the conduct
constituting the offense affects that use by or for the
financial institution or the Government; or
(B) which is used in interstate or foreign commerce or
communication;
. . .
(6) the term "exceeds authorized access" means to access a
computer with authorization and to use such access to obtain or
alter information in the computer that the accesser is not
entitled so to obtain or alter;
(8) the term "damage" means any impairment to the integrity
or availability of data, a program, a system, or information,
that -
(A) causes loss aggregating at least $5,000 in value during
any 1-year period to one or more individuals;
(B) modifies or impairs, or potentially modifies or impairs,
the medical examination, diagnosis, treatment, or care of one
or more individuals;
(C) causes physical injury to any person; or
(D) threatens public health or safety; and
. . .
(f) This section does not prohibit any lawfully authorized
investigative, protective, or intelligence activity of a law enforcement
agency of the United States, a State, or a political subdivision of a
State, or of an intelligence agency of the United States.
(g) Any person who suffers damage or loss by reason of a violation of
this section may maintain a civil action against the violator to obtain
compensatory damages and injunctive relief or other equitable relief.
Damages for violations involving damage as defined in subsection
(e)(8)(A) are limited to economic damages. No action may be brought
under this subsection unless such action is begun within 2 years of the
date of the act complained of or the date of the discovery of the
damage.
. . .
Footnotes
[1] So in original. Probably should be followed by "or".
[2] So in original. The word "and" probably should not appear.
[3] So in original. Probably should be followed by "and".
[4] So in original. The "; and" probably should be a period.
[5] See References in Text note below.
[6] So in original. The period probably should be a semicolon.
Computer Fraud and Abuse Act, 18 USC § 1030 (2000)
(a) It is the intent of the Legislature in enacting this
section to expand the degree of protection afforded to individuals,
businesses, and governmental agencies from tampering, interference,
damage, and unauthorized access to lawfully created computer data and
computer systems. The Legislature finds and declares that the
proliferation of computer technology has resulted in a concomitant
proliferation of computer crime and other forms of unauthorized
access to computers, computer systems, and computer data.
The Legislature further finds and declares that protection of the
integrity of all types and forms of lawfully created computers,
computer systems, and computer data is vital to the protection of the
privacy of individuals as well as to the well-being of financial
institutions, business concerns, governmental agencies, and others
within this state that lawfully utilize those computers, computer
systems, and data.
(b) For the purposes of this section, the following terms have the
following meanings:
(1) "Access" means to gain entry to, instruct, or communicate with
the logical, arithmetical, or memory function resources of a
computer, computer system, or computer network.
. . .
(8) "Injury" means any alteration, deletion, damage, or
destruction of a computer system, computer network, computer program,
or data caused by the access.
(9) "Victim expenditure" means any expenditure reasonably and
necessarily incurred by the owner or lessee to verify that a computer
system, computer network, computer program, or data was or was not
altered, deleted, damaged, or destroyed by the access.
(10) "Computer contaminant" means any set of computer instructions
that are designed to modify, damage, destroy, record, or transmit
information within a computer, computer system, or computer network
without the intent or permission of the owner of the information.
They include, but are not limited to, a group of computer
instructions commonly called viruses or worms, that are
self-replicating or self-propagating and are designed to contaminate
other computer programs or computer data, consume computer resources,
modify, destroy, record, or transmit data, or in some other fashion
usurp the normal operation of the computer, computer system, or
computer network.
. . .
(c) Except as provided in subdivision (h), any person who commits
any of the following acts is guilty of a public offense:
(1) Knowingly accesses and without permission alters, damages,
deletes, destroys, or otherwise uses any data, computer, computer
system, or computer network in order to either (A) devise or execute
any scheme or artifice to defraud, deceive, or extort, or (B)
wrongfully control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or
makes use of any data from a computer, computer system, or computer
network, or takes or copies any supporting documentation, whether
existing or residing internal or external to a computer, computer
system, or computer network.
(3) Knowingly and without permission uses or causes to be used
computer services.
(4) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software, or
computer programs which reside or exist internal or external to a
computer, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the denial of
computer services to an authorized user of a computer, computer
system, or computer network.
(6) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system, or
computer network in violation of this section.
(7) Knowingly and without permission accesses or causes to be
accessed any computer, computer system, or computer network.
(8) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network.
(9) Knowingly and without permission uses the Internet domain name
of another individual, corporation, or entity in connection with the
sending of one or more electronic mail messages, and thereby damages
or causes damage to a computer, computer system, or computer
network.
(d) (1) Any person who violates any of the provisions of paragraph
(1), (2), (4), or (5) of subdivision (c) is punishable by a fine not
exceeding ten thousand dollars ($10,000), or by imprisonment in the
state prison for 16 months, or two or three years, or by both that
fine and imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not exceeding
one year, or by both that fine and imprisonment.
(2) Any person who violates paragraph (3) of subdivision (c) is
punishable as follows:
(A) For the first violation that does not result in injury, and
where the value of the computer services used does not exceed four
hundred dollars ($400), by a fine not exceeding five thousand dollars
($5,000), or by imprisonment in a county jail not exceeding one
year, or by both that fine and imprisonment.
(B) For any violation that results in a victim expenditure in an
amount greater than five thousand dollars ($5,000) or in an injury,
or if the value of the computer services used exceeds four hundred
dollars ($400), or for any second or subsequent violation, by a fine
not exceeding ten thousand dollars ($10,000), or by imprisonment in
the state prison for 16 months, or two or three years, or by both
that fine and imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not exceeding
one year, or by both that fine and imprisonment.
(3) Any person who violates paragraph (6), (7), or (8) of
subdivision (c) is punishable as follows:
(A) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding two hundred fifty
dollars ($250).
(B) For any violation that results in a victim expenditure in an
amount not greater than five thousand dollars ($5,000), or for a
second or subsequent violation, by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not exceeding
one year, or by both that fine and imprisonment.
(C) For any violation that results in a victim expenditure in an
amount greater than five thousand dollars ($5,000), by a fine not
exceeding ten thousand dollars ($10,000), or by imprisonment in the
state prison for 16 months, or two or three years, or by both that
fine and imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not exceeding
one year, or by both that fine and imprisonment.
(4) Any person who violates paragraph (9) of subdivision (c) is
punishable as follows:
(A) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding two hundred fifty
dollars ($250).
(B) For any violation that results in injury, or for a second or
subsequent violation, by a fine not exceeding five thousand dollars
($5,000), or by imprisonment in a county jail not exceeding one year,
or by both that fine and imprisonment.
(e) (1) In addition to any other civil remedy available, the owner
or lessee of the computer, computer system, computer network,
computer program, or data may bring a civil action against any person
convicted under this section for compensatory damages, including any
expenditure reasonably and necessarily incurred by the owner or
lessee to verify that a computer system, computer network, computer
program, or data was or was not altered, damaged, or deleted by the
access. For the purposes of actions authorized by this subdivision,
the conduct of an unemancipated minor shall be imputed to the parent
or legal guardian having control or custody of the minor, pursuant to
the provisions of Section 1714.1 of the Civil Code.
(2) In any action brought pursuant to this subdivision the court
may award reasonable attorney's fees to a prevailing party.
. . .
(f) This section shall not be construed to preclude the
applicability of any other provision of the criminal law of this
state which applies or may apply to any transaction, nor shall it
make illegal any employee labor relations activities that are within
the scope and protection of state or federal labor laws.
(g) Any computer, computer system, computer network, or any
software or data, owned by the defendant, that is used during the
commission of any public offense described in subdivision (c) or any
computer, owned by the defendant, which is used as a repository for
the storage of software or data illegally obtained in violation of
subdivision (c) shall be subject to forfeiture, as specified in
Section 502.01.
. . .
(2) Paragraph (3) of subdivision (c) does not apply to penalize
any acts committed by a person acting outside of his or her lawful
employment, provided that the employee's activities do not cause an
injury, as defined in paragraph (8) of subdivision (b), to the
employer or another, or provided that the value of supplies or
computer services, as defined in paragraph (4) of subdivision (b),
which are used does not exceed an accumulated total of one hundred
dollars ($100).
(i) No activity exempted from prosecution under paragraph (2) of
subdivision (h) which incidentally violates paragraph (2), (4), or
(7) of subdivision (c) shall be prosecuted under those paragraphs.
(j) For purposes of bringing a civil or a criminal action under
this section, a person who causes, by any means, the access of a
computer, computer system, or computer network in one jurisdiction
from another jurisdiction is deemed to have personally accessed the
computer, computer system, or computer network in each jurisdiction.
. . .
Access other teaching materials.
Return to Tom W. Bell's Homepage.
(C) 2000 Tom W. Bell. All rights reserved. Fully attributed noncommercial use of this document permitted if accompanied by this paragraph.