Attacks/Breaches
12/17/2013
06:06 AM
50%
50%

Is Mob-Busting RICO Overkill For Combating Cybercrime?

The milestone conviction of 22-year-old David Camez for his participation in a Russian-run "carder" forum raises legitimate questions about the role of RICO in taking down cybercrime.

Fans of The Sopranos -- or any other TV show or movie about the mob -- have probably heard of the Racketeer Influenced and Corrupt Organizations (RICO) Act, which allows federal prosecutors to bring charges against anyone who's part of a vast criminal enterprise. But should RICO be employed to take down members of a cybercrime enterprise?

That came to pass recently, when -- for the first time – a federal jury returned a guilty verdict against David Ray Camez (aka "Bad Man," "doctorsex"), 22, for his participation in the Russian-run forum Carder.su, which has been likened to an eBay for stolen identity information. Camez now faces up to 40 years in prison and a fine of up to $250,000.

Prosecutors argued that the site lead to $50 million in losses. "It is difficult to fathom the enormity and complexity of the Carder.su racketeering organization and its far-reaching tentacles across international borders," Daniel Bogden, the US attorney for Nevada, said in a statement. "The Internet has provided sophisticated international criminals access to the United States and its citizens, and the ability and means to harm us."

But, according to his defense attorney Chris Rasmussen, Camez was only 17 when he bought his first fake ID from an undercover Secret Service agent known as "Celtic," and had nothing to do with running or operating Carder.su.

All of which begs the question: Was RICO properly applied in this case? "Prosecutors love the RICO statute in part because it's a huge hammer," Ifrah Law white collar crime attorney David B. Deitch told me in an interview. "The statute was written to go after what we think of as mobsters, the mafia, organized crime."

Shades of Aaron Swartz?
In some computer-related crimes cases of late, prosecutors have gone too far. Many legislators, information security and privacy experts, and legal experts slammed Justice Department prosecutors for apparently attempting to score political points -- at the expense of dispensing appropriate justice -- after they threatened Reddit co-founder Aaron Swartz with 35 years in jail, simply for downloading millions of academic articles from the JSTOR academic database.

Swartz was protesting JSTOR charging for articles, when many had been supported by government funding. Ultimately, Swartz committed suicide. Later, federal prosecutors said that despite threatening Swartz with a number of charges, including violating the Computer Fraud and Abuse Act, they only would have recommended a seven-year sentence for Swartz. Given that Swartz returned all of the JSTOR articles he'd downloaded, and JSTOR officials requested that the government not prosecute Swartz -- and later began offering many of its articles for free -- even seven years seemed draconian.

Of course, Swartz had other options available to him. For starters, he could have pleaded to lesser charges -- and the same applied to Camez. "Just because you're charged with RICO doesn't mean you have to plea to RICO," attorney Mark Rasch, a former federal computer crime prosecutor based in Bethesda, Md., tells me by phone.

Camez chose to fight the two racketeering charges filed against him. "He's always insisted that although he may have been guilty of the charges, he was not responsible for the $50 million in loss that the government alleged," his attorney told the Las Vegas Review-Journal after the guilty verdict was announced.

A "great experiment" by prosecutors
During the trial, the newspaper reported, Rasmussen stood close to Camez, telling the jury: "This case isn't about this young man right here." Rather, he said it was a "great experiment" by prosecutors to try to establish that a website is a racketeering organization. "The government is on trial in this case just as much as David Camez," he said.

Notably, the judge in the Camez case allowed the RICO charges to proceed, and a jury, after deliberating for less than two hours, returned a guilty verdict.

A more common charge in this type of online crime case, according to Deitch, would have been conspiracy, which refers to two or more people agreeing to commit a crime, and which carries a maximum sentence of five years in prison. With RICO, however, "you can be sent to prison for 20 years -- so it's a big difference," says Deitch. That also hints at why prosecutors want to use RICO: It lets them bring greater penalties against suspects, including longer recommended jail times, as well as the prospect of their forfeiting ill-gotten gains.

"Like conspiracy, RICO allows you to get at a whole bunch of what you might call tangential or incidental conduct, and make it part of the enterprise," Rasch says. "What's different here is that at sentencing you're supposed to consider a person's role in the enterprise, and if they're a major participant or a minor participant in it. The problem is that even having a minor role in a $50 million case is pretty steep."

What's required to gain a RICO conviction? "This is over-simplifying a complex statute, but there are really two parts to it: you have to show a pattern of activity, meaning it's not just a one-off thing, and you have to show an enterprise, which is an organization with structure," Deitch says. The definition of "enterprise," however, remains amorphous. "Many thousands of trees have died in the service of case law trying to describe what an enterprise is," he said.

Despite the successful use of RICO in this case, Deitch says RICO-related cybercrime trials will remain rare “because the proof has to be very complicated" to make a RICO charge stick. At the same, he argues that the bar for allowing RICO to be used should remain high, to avoid any potential misuse by overzealous prosecutors. 

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
melgross
50%
50%
melgross,
User Rank: Apprentice
12/17/2013 | 7:40:55 AM
Guilty?
If an individual admits to being guilty of the charges, what is a jury expected to do? I don't know if he admitted guilt during the trial, or as an aside afterwards. But I can't blame the government for going after the harsher choice, though they could have asked for a lesser penalty in this particular case. Should cyber crime be prosecuted under RICO? Sure! There are networks of criminals doing this. Estimates have been that cyber crime costs us billions a year. Crime is crime.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/17/2013 | 11:24:36 AM
Re: Guilty?
Thanks for your comment. What's notable here is that Camez never pleaded guilty. Rather, he was convicted, which makes this the first time that RICO was succesfully used in a cybercrime case that resulted in a guilty verdict. 

At first blush, I agree that using RICO to take down criminals seems like a no-brainer. But the case also raises a number of interesting legal questions. For starters, is a 17-year-old customer of an underground forum -- that's been likened to an eBay for ID thieves -- part of a "criminal enterprise"? Or is he just a thief who buys stolen IDs, and who might be succesfully rehabilitated after doing a bit of time?

Because he was convicted on the RICO front, this guy can be sent down for a much, much longer period of time (max 20 years) -- and be on the hook for the entire amount of money stolen by members of that eBay-like ID theft site -- than if he'd been convicted of a non-RICO charge (max 5 years). 

That's why Deitch was arguing that judges need to be careful about how they handle these kinds of cases. Prosecutors will always throw the biggest book (if you will) that they have at a suspect. But I'd argue that the time should fit the crime.

All that said, I think it will be interesting to see what kind of sentence Camez gets, and also if the RICO conviction holds up on appeal.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/17/2013 | 12:30:33 PM
Re: Guilty?
The appeal will be worth following, I'm also curious to see of Camez' attorneys will argue the appeal based on the inappropriateness (of lack of ) of the Rico statute. 
newsresponse
50%
50%
newsresponse,
User Rank: Apprentice
12/18/2013 | 12:57:28 AM
Other Side of the Story
I love the media. I have seen several articles like this, some more biased than others, but all with the same slant that the government is being overly abusive with its use of the RICO statute. However, in each article I seem to see only the portions of the story that paint Camez as a some poor kid who at 17 got wrapped up in some "ebay for criminals".

I followed this trial closely and what I don't see in the articles is any mention of the portions of the trial where Camez was trading guns for counterfeit credit cards or the portion of the trial where one of his codefendants testified that Camez advice to him after he got in trouble at a Walmart was to next time punch the cashier in the mouth or statements Camez made about his own crew beating up a cashier. 

What I think is telling, and only gets a cursory mention, is that the jury only deliberated for 2 hours (which actually included their lunch break). The trial lasted over 3 weeks and had dozens of witnesses. Often quoted experts say that RICO is an incredibly complex statute. Yet 12 people, who arent judges or lawyers, understood the law as it applied here and made a unanimous decision in less than 2 hours. That tells me that it wasn't much of a "government experiment" at all, but instead a way to deal with the new face of organized crime.

 

 
Brian Bartlett
50%
50%
Brian Bartlett,
User Rank: Apprentice
12/23/2013 | 3:31:53 AM
It doesn't matter...
whether you are a lieutenant, capo, bagman or enforcer. The organization, and it was definitely a group with  specific (illegal) shared goals, really is corrupt. Rackateers? Yes, they were engaging in a racket. All the elements are there, you'd need a lawyer to disect the theology needed to contradict the facts.

As for the age, this society recognizes that there are adult-size consequences to adult-size criminal acts. I understand the Aaron Schwartz analogy and it is far from the mark. No member of society was damaged save the owner of the repository and they forgave that.

As an aside: I've yet to scratch the surface of a US Attorney that din't have future higher office as a goal, which is why the statutes are heiniously applied. In this one case, where in my NSHO RICO was applied correctly, the US Attorney got the golden ring (look that up, youngsters ;). OTOH, I expect the Aaron Schwartz case is sticking to that lawyers shoes even today.

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.