Fans of The Sopranos -- or any other TV show or movie about the mob -- have probably heard of the Racketeer Influenced and Corrupt Organizations (RICO) Act, which allows federal prosecutors to bring charges against anyone who's part of a vast criminal enterprise. But should RICO be employed to take down members of a cybercrime enterprise?
That came to pass recently, when -- for the first time – a federal jury returned a guilty verdict against David Ray Camez (aka "Bad Man," "doctorsex"), 22, for his participation in the Russian-run forum Carder.su, which has been likened to an eBay for stolen identity information. Camez now faces up to 40 years in prison and a fine of up to $250,000.
Prosecutors argued that the site lead to $50 million in losses. "It is difficult to fathom the enormity and complexity of the Carder.su racketeering organization and its far-reaching tentacles across international borders," Daniel Bogden, the US attorney for Nevada, said in a statement. "The Internet has provided sophisticated international criminals access to the United States and its citizens, and the ability and means to harm us."
But, according to his defense attorney Chris Rasmussen, Camez was only 17 when he bought his first fake ID from an undercover Secret Service agent known as "Celtic," and had nothing to do with running or operating Carder.su.
All of which begs the question: Was RICO properly applied in this case? "Prosecutors love the RICO statute in part because it's a huge hammer," Ifrah Law white collar crime attorney David B. Deitch told me in an interview. "The statute was written to go after what we think of as mobsters, the mafia, organized crime."
Shades of Aaron Swartz?
In some computer-related crimes cases of late, prosecutors have gone too far. Many legislators, information security and privacy experts, and legal experts slammed Justice Department prosecutors for apparently attempting to score political points -- at the expense of dispensing appropriate justice -- after they threatened Reddit co-founder Aaron Swartz with 35 years in jail, simply for downloading millions of academic articles from the JSTOR academic database.
Swartz was protesting JSTOR charging for articles, when many had been supported by government funding. Ultimately, Swartz committed suicide. Later, federal prosecutors said that despite threatening Swartz with a number of charges, including violating the Computer Fraud and Abuse Act, they only would have recommended a seven-year sentence for Swartz. Given that Swartz returned all of the JSTOR articles he'd downloaded, and JSTOR officials requested that the government not prosecute Swartz -- and later began offering many of its articles for free -- even seven years seemed draconian.
Of course, Swartz had other options available to him. For starters, he could have pleaded to lesser charges -- and the same applied to Camez. "Just because you're charged with RICO doesn't mean you have to plea to RICO," attorney Mark Rasch, a former federal computer crime prosecutor based in Bethesda, Md., tells me by phone.
Camez chose to fight the two racketeering charges filed against him. "He's always insisted that although he may have been guilty of the charges, he was not responsible for the $50 million in loss that the government alleged," his attorney told the Las Vegas Review-Journal after the guilty verdict was announced.
A "great experiment" by prosecutors
During the trial, the newspaper reported, Rasmussen stood close to Camez, telling the jury: "This case isn't about this young man right here." Rather, he said it was a "great experiment" by prosecutors to try to establish that a website is a racketeering organization. "The government is on trial in this case just as much as David Camez," he said.
Notably, the judge in the Camez case allowed the RICO charges to proceed, and a jury, after deliberating for less than two hours, returned a guilty verdict.
A more common charge in this type of online crime case, according to Deitch, would have been conspiracy, which refers to two or more people agreeing to commit a crime, and which carries a maximum sentence of five years in prison. With RICO, however, "you can be sent to prison for 20 years -- so it's a big difference," says Deitch. That also hints at why prosecutors want to use RICO: It lets them bring greater penalties against suspects, including longer recommended jail times, as well as the prospect of their forfeiting ill-gotten gains.
"Like conspiracy, RICO allows you to get at a whole bunch of what you might call tangential or incidental conduct, and make it part of the enterprise," Rasch says. "What's different here is that at sentencing you're supposed to consider a person's role in the enterprise, and if they're a major participant or a minor participant in it. The problem is that even having a minor role in a $50 million case is pretty steep."
What's required to gain a RICO conviction? "This is over-simplifying a complex statute, but there are really two parts to it: you have to show a pattern of activity, meaning it's not just a one-off thing, and you have to show an enterprise, which is an organization with structure," Deitch says. The definition of "enterprise," however, remains amorphous. "Many thousands of trees have died in the service of case law trying to describe what an enterprise is," he said.
Despite the successful use of RICO in this case, Deitch says RICO-related cybercrime trials will remain rare “because the proof has to be very complicated" to make a RICO charge stick. At the same, he argues that the bar for allowing RICO to be used should remain high, to avoid any potential misuse by overzealous prosecutors.
Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.