Judge Rejects Guilty Plea From AOL Employee

The Hobo writes "Newsday has a story on a New York judge who rejected Jason Smather's guilty plea. Smathers, covered previously on Slashdot, was the AOL employee who stole and sold AOL addresses to spammers. The judge himself apparently cancelled his AOL subscription due to receiving too much spam. While he didn't like what Jason did, he wasn't convinced a crime had been committed under the CAN-SPAM law, which requires that a person be deceived."

Does not compute

[October_30th]

Authorities said Smathers, who was fired by AOL in June, used another employee's access code to steal the list of AOL customers in 2003 from its headquarters in Dulles, Va., and sold it to spammers for more than $100,000.

I don't understand how this is not deceptive, fraudulent and illegal...

Re:Does not compute

[The+Only+Druid]

It doesn't matter if its deceptive or fradulent, because the charge was specifically done under a particular law: the can-spam act, which has specific requirements. The judge determined that the charge failed to allege an actual violation of that law.

Essentially, the judge instituted a 12(b)(6) motion, dismissing the suit for failure to state a claim upon which action could be based.

Re:Does not compute

[YrWrstNtmr]

It is. It just doesn't meet the specifics of CAN-SPAM, which is evidently what he was charged with, and tried to plead guilty to.

What the judge did was, IMHO, right, in the same way that bank robbery doesn't meet the specifics of the traffic laws.

Charge him with what he actually did, and let him plead guilty to that.

Re:Does not compute

[zakezuke]

I don't understand how this is not deceptive, fraudulent and illegal...

Perhaps it should be, but it's not. No one was actually deceived, the guy flat out used someone else's access code to gain access to a mail list and sell it. For example, if you gave a key to your house and I used it to go in and copy your phone list and sell it to a telemarketer. It's not trespass or breaking and entering because you gave me a key. It might not be deceptive because you might have given me the key to feed your cat and I might not have intended to copy your phone list at that time. And it's not theft because I only made a copy of your phone list. And there is no violation of copyright because a list of names and contact info can't be copyrighted.

I might be guilty of violating your trust but I don't see how any crime was committed.

Re:Does not compute

[GryMor]

Which is cause for a civel action against him by AOL with regards to his employment contract, and possibly an 'unauthorized use of a protected computer system' charge, but certainly doesn't hold up to the requirements for much of anything else.

Re:Does not compute

[zakezuke]

Trade Secret

However, there are three factors that (though subject to differing interpretations) are common to all such definitions: a trade secret is some sort of information that (a) is not generally known to the relevant portion of the public, (b) confers some sort of economic benefit on its holder (where, note well, this benefit must derive specifically from the fact that it is not generally known, not just from the value of the information itself), and (c) is the subject of reasonable efforts to maintain its secrecy.

Are e-mail addresses trade secrets?

a) Not known to the relevant portion of the public? E-mail addresses are a form of contact information that are given out by their very design.

b) Does AOLs user list confer some sort of economic benefit on the holder? You could argue this but according to the marketing AOL say they don't sell their user list so in a way they are saying they accept no economic benefit of their user directory.

c) Does AOL maintain reasonable efforts to maintain their user's e-mail addresses private? This is something that could be argued. One the one hand they don't sell their userlist to spammers but at the same time any old Joe can e-mail an AOL user at anytime.

As defined, I can see how one might argue one way or another, but let us ask ourselves this.

1) Is a list of phone numbers a trade secret?
2) Is a list of mobile numbers a trade secret?
3) Is a list of e-mail addresses a trade secret?

Re:Does not compute

[The+Only+Druid]

Actually, I did make the mistake of not being clear. I was saying "essentially its a 12b6", in that I wasn't sure of the proper criminal reference. My bad.

For those not clear what we're talking about: in the Federal Rules of Civil Procedure, rule 12, subsection B, subsection 6 allows for a motion that a claim be dismissed for failure to state a claim upon which an action can be granted. The criminal analogue is Federal Rules of Criminal Procedure 5.1(f), I believe. Both rules essentially say the following: if ALL the claims of the prosecution are entirely true, there still isn't a valid claim.

Re:Does not compute

[jrockway]

First, kill someone. Then run a red light while disposing of the body. :-)

Re:Does not compute

[CountBrass]

Heh I wouldn't bet on it. I was in court (for a traffic offence I hasten to add!) the main witnesses lied, we know he lied and could prove it: my barrister even crowed about the fact. And then failed to even raise the issue in court!

I was stunned.

Re:Does not compute

[addaon]

Yep. Libel, for example. Can't be charged with that for "helping the criminal with full knowledge of the crime to be committed". That's the point. It's the prosecutor's job to choose the law that's applicable.

Re:Does not compute

[jhigh]

You don't know for a fact that he had no permission from the company to access this data. If another employee gave him the access code they are, like it or not, they are being granted a license to access what ever data and resources are associated with that account. This would be *stupid* and ground for dismissal but in it self hardly a criminal act.

And this is why security policies are so important. If AOL's security policy explicitly states that no user is allowed to access another user's account, even if that user was given the password, then it is illegal because it would be unauthorized use of a computer. The computer doesn't belong to the user, and therefore the user has no right to authorize anyone else to use their account. It all depends on what AOL has stated in their security policy.

But will he be charged with theft?

[Antony-Kyre]

He stole a list of e-mail addresses. Isn't that theft? Even if he doesn't get charged with sending out spam, he did commit other crimes, right?

Re:But will he be charged with theft?

[jokach]

exactly, he's charged with "conspiracy and interstate transportation of stolen property" according to the article, which seems to fit the crime ... he used another employees access code which warrants theft ....... maybe we're missing something???

Re:But will he be charged with theft?

[aslate]

In the UK the Data Protection Act would have him down for that.

Re:But will he be charged with theft?

[TummyX]

Copyright is evil. Information wants to be free. Something about beer. Let the guy go! blah blah blah
</range>

Re:But will he be charged with theft?

[TummyX]

whoops, xml error, i know. i'm used to writing range tags.

Re:But will he be charged with theft?

> he's charged with "conspiracy and interstate transportation of stolen property"

The actual charge: "conspiracy to conspire and interstate a conspiracy for the electrical transportation of privately owned copyright protected electronic Internet based material constituting a conspiracy to interstate the committal to infringe laws defined by copyright infringement laws on the electronic Internet network, on Mondays, after 15:00 but not later than 17:00"

Re:But will he be charged with theft?

[girlarmy]

He commited several crimes, AOL specifically chose to have him prosecuted under the CAN-SPAM Act of 2003. My guess is for two reasons. One because it carries the harshest sentencing potential (criminal, meaning not just fines but jail time as well) and second because convictions under this act make an example. This is new highly publicised legislation, passed as a deterent more than anything else. Spammers have to be afraid, of laws that legislation like this enacts. If not, the legislation is worthless and not a springboard for passing other acts, creating more law with stricter guidelines and heftier consequences. The problem they ran into is that the meat of the law is about fraud and deception. As in, not fully disclosing the nature or source of the good or service being presented in the email. It's alluded to in the story "The judge, ... said it was not clear that Smathers had deceived anyone -a requirement of the new law."

No doubt he violated the terms of employment in his contract, any NDA he signed as well as non-compete contracts he agreed to. None of that is criminal however, it falls under civil law and the best they could do is take him to court and ask for damages. As for if he stole something, every /. reader knows it is never that clear with intellectual property. He didn't steal anything from the users, because they signed away all rights to the data when they signed up, ie it was never there's in the first place they were just borrowing it from AOL, who can do with it pretty much whatever they choose, under the terms of the User Agreement. As for if he stole anything from AOL any attorney could easily make the argurment that he in fact did not steal anything -which is criminal- he simply used the information inappropirately and profited from it, which is not criminal in this case, but again falls under civil law.

CAN-SPAM

[FiReaNGeL]

Maybe a crime hasn't been committed against this (obscure) law, but stealing critical info from the company you're working for and selling it to the highest bidder (or in this case, spammer) sure is. Was he accused of the wrong thing or what?

Re:CAN-SPAM

[hackstraw]

Maybe a crime hasn't been committed against this (obscure) law

Law in general is obscure. You know a society is too complex and complicated when highly respected people in that society have full time jobs to simply know the rules of that society.

Re:CAN-SPAM

[FiReaNGeL]

Ocimum`s Genowiz.

Oops I said it!

We can talk about it further in my blog`s forum or by mail, if you want too ;) Worst piece of software EVER. Even the installer had troubles... and it managed to crash my whole MACHINE (not just Windows) repeatetly (a "bug" later admitted when I talked to one of their engineer by phone). Features announced on the frontpage of their website completely absent from the product. 3000$. Yeah. Right.

Ding!

[Asshat+Canada]

You've got Bail!

Stealing is not a crime?

[toupsie]

Didn't the guy steal millions upon millions of AOL Screen Names and fence them? Isn't that covered under the STEAL-SHIT Act? Can I guarantee a reservation in his court? I have my eyes on this Porsche.

Re:Stealing is not a crime?

[Jahf]

If the list was proprietary / internal / confidential / whatever-your-company-calls-it and you steal it, then you have stolen the list. The law wouldn't be worried about the individual addresses but rather the list in total. Especially if said list has commercial value (which it obviously does).

I could definitely see this as corporate espionage. Overall I would say the defendant is getting off pretty easy.

Re:Stealing is not a crime?

[PreferredNom]

He's the judge, not the prosecutor. He adjudicates the charges made. He doesn't get to say, "Well, charge X is bogus but you're obviously guilty of unalleged charge Y, so Alcatraz it is!"

Re:Stealing is not a crime?

[Macadamizer]

I know that what I am about to say is considered verboten on /. but, whether you like it or not:

The law says intellectual property is property!

You may have theoretical or philosophical issues with this, fine -- but the law is what it is, until it is changed. And the law says IP is property.

And, contrary to what most on /. would like you to believe, the law has a more expansive notion of stealing than "depriving someone of a particular piece of tangible property." For some fun reading, here's an excerpt from FindLaw that is appropriate here:

"Intentional theft of trade secrets can constitute a crime under both federal and state law. The most significant federal law dealing with trade secret theft is the Economic Espionage Act of 1996 (EEA) (18 U.S.C., Sections 1831 to 1839). The Act gives the U.S. Attorney General sweeping powers to prosecute any person or company involved in trade secret misappropriation.

The EEA punishes intentional stealing, copying or receiving of trade secrets "related to or included in a product that is produced for or placed in interstate commerce." (18 U.S.C. 1832.) Penalties for violations are severe: Individuals may be fined up to $500,000 and corporations up to $5 million. A violator may also be sent to prison for up to ten years. If the theft is performed on behalf of a foreign government or agent, the corporate fines can double and jail time may increase to 15 years. (18 U.S.C. 1831.) In addition, the property used and proceeds derived from the theft can be seized and sold by the government. (18 U.S.C. 1831, 1834.)

The EEA applies not only to thefts that occur within the United States, but also to conduct outside the U.S. if the thief is a U.S. citizen or corporation, or if any act in furtherance of the offense occurred in the U.S. (18 U.S.C. 1838.) The EEA is a federal criminal statute and is enforced by the United States Attorneys' offices located throughout the country.

Several states have also enacted laws making trade secret infringement a crime. For example, in California it is a crime to acquire, disclose or use trade secrets without authorization. Violators may be fined up to $5,000, sentenced to up to one year in jail, or both. (Cal. Penal Code Section 499c.)"

Re:Stealing is not a crime?

[Macadamizer]

"Take copyright: rightsholders often say that they "own" music, but they don't, and the law is very clear on that. Rather, rightsholders own rights in the music. It's the rights themselves that have "property-like" qualities -- you can own, sell, transfer, &c. a copyright, but you can't "own" a song in the abstract."

If you want to get abstract, then what exactly is "property" anyway? All property is -- ANY property -- is just a "bundle of rights." The right to exclude is just one of the rights associated with "property" -- but show me one place in the law where it says that "property" has to be a tangible item. When you get down to the nitty-gritty, all "property" is is a bunch of rights that the government has given you.

If you own a house, you have a "bundle of rights" that include the right to exclude -- basically, the right to keep people off of your land. But even that right can be trumped by eminent domain, and your right to "exclude" lasts for only so long as you pay taxes on the property.

If someone else can lawfully take something from you, can you really say that you own it? But we associate home "ownership" with ownership of property -- so why not IP?

So, what does "ownership" really mean?

"In fact, that's the basis of the doctrine of first sale: the rightsholder owns the copyright, not the copy of the music (which you own, since you bought it)."

True. But not ALL of the rightsholder's rights are exhausted by the "first sale:" a rightsholder can still (in the case of copyright) control the public performance of THAT particular copy, or the making of a derivative work, or the reproduction.

So, even though you "own" the CD, what you "own" is a bundle of rights, including the right to listen to the music, the right to transfer "ownership," temporarily or permanently, of the CD to another person, the right to destroy the CD, the right to reproduce (as long as you limit yourself to an archival copy under the AHRA), and the right to exclude -- that is, the right to keep someone else from taking your copy.

But you DON'T get the right to publically perform that CD, or create a derivative work, or reproduce the CD (except as noted above). You don't get ALL of the rights. The rightsholders retain SOME of the rights.

That's why it's a mistake to think of property in terms of tangible v. intangible -- it's more proper to think of what "rights" you possess. Typically people associate ownership with the "right to exclude," but there is more to ownership than just that single right.

"Or take patents: if you buy a patented product, like a mousetrap, you've bought a mousetrap. You do, in fact own it. The patent holder has some exclusive rights in the mousetrap, however, such as the right to stop of you from replicating them. The patent holder doesn't own the idea per se, rather he owns rights in the idea."

And those rights give the power to exclude (keep others from building that mousetrap) -- so why isn't that ownership?

"You're completely off base."

Maybe, but I don't think so.

I wonder if AOL users

[multiplexo]

could band together and sue this guy and the asshole he sold the list to in civil court with a class action lawsuit. Nail him to the tune of a few billion dollars just to add insult to injury. Of course he should first spend some time in a nice secure federal pound-me-in-the-ass penitentiary. Having his anus blown out and being several billion dollars in debt would be just punishment and a fine deterrent.

Read the article before you comment...

[ZSpade]

Yes he stole the email addresses, that's not the point here. The judge said he couldn't be charged with the particular crime that the trial was for. That's why he scheduled a new trial in January.

Apparently the Can Spam law has found another way to be useless, but he'll still pay for the theft.

Nice to know that judge respects the law

[Software]

It's good to know that the judge respects and applies the law _as written_, and doesn't try to punish the defendant because he (the defendant) is a total scumbag.

I would rather the law had been written such that selling legitimate addresses to spammers was punishable by death, but that's not the way it happened. So, given that the CAN-SPAM law doesn't prohibit selling addresses to spammers (which may or may not be true), it seems like the right decision.

By the way, this guy needs a new defense lawyer. BADLY.

Re:Theft / Invasion of Privacy

I dont use AOL and have never used AOL

How are you posting this then? Wha...

Re:Theft / Invasion of Privacy

[The+Only+Druid]

Apparently, the prosecutors didn't believe they could prove those crimes, since the claim doesn't include charges of those crimes. The judge isn't allowed to create charges: the judge can only determine the validity of charges made by the prosecutors.

Re:Shouldn't he recuse himself?

[techno-vampire]

Actually, it looks like he's doing everything he can to avoid even the appearance of bias. He rejected the guilty plea because he's not convinced that the accuse's actions fit the requirements of the CAN-SPAM act. If he were biased, he'd just let the guy plead guilty and be done with it.

Re:Hello? PRIVACY POLICY?

[benjamindees]

Call it fraud, negligence to fulfill contract...

Whoa there skippy... there's a *big* difference between committing a crime and failing to fulfill the terms of a contract.

A crime is "theoretically" supposed to adversely affect more than just those involved, as in "the rest of society". That's why, in Civil court, you hire your own-ass lawyers, while, in Criminal court, the State prosecutes.

Now, granted, that line has been (intentionally) blurred lately, so I can't really fault you for not being able to tell the difference.

WTF?

[The+Cisco+Kid]

Ok, he didnt violate the you-can-spam act, nor should he have been charged under that. He should be charged with theft of private information from his employer.

Re:Shouldn't he recuse himself?

[the_mad_poster]

That's not quite true.... you can be biased and still hand down decisions on an issue that aren't biased. The problem, however, is that if someone doesn't like your decision, and you are biased, even if you didn't let that bias affect your decision, they can still pinpoint that as a reason not to accept your judgement.

The Law versus Justice

[geekwench]

(Obligatory disclaimer: IANAL)

Unfortunately, there are a couple of different things going on, here. First is the judge's inability to see the poverbial forest for the trees. Second is the ability to prove the merits of the case.

The CAN-SPAM Act is one of the most useless pieces of tripe ever to be bulldozed through Congress, and the reason for this is the list of qualifiers that was written in. The "standard of deception" is one of these items. To actually convict someone under this provision in CAN-SPAM, the spammer would have to send out an e-mail promising "Free Screensavers of Puppies, Kitties, and Unicorns!" that actually redirects to the "Girls fscking Giant Horse C*cks eXXXtravaganza!" website. In saying that the charges did not meet the standard, Judge Hellerstein was factually correct.

Smathers did not decieve the AOL members whose information was sold, nor the spammers who purchased it. The AOL members were not told "Oh, don't worry; I wouldn't _think_ of selling your information for to a bunch of sleazebags," and I'm sure that the spammers were under no illusions about the legality of the addresses they purchased. However, what he did commit was fraud. He defrauded the AOL users, and the company, and fraud is most certainly a prosecutable offense. Trying him under the CAN-SPAM statute seems like a really poor legal strategy.

Personally, I'd love to see the existing laws used more forcefully. And I wouldn't go after the spammers, but after the people who hire them. There are already statutes governing things like mortgage banking, mail fraud, practicing medicine without a license, dispending medications without a license... and very few of the existing laws are used to prosecute the companies that give spammers their raison d' etre. Go after the source, and the flood will ebb.

Re:The Law versus Justice

[ydra2]

Nice try but I'm amazed at the misconceptions of all the posters so far. geekwench came the closest but in court as in horseshoes, close doesn't count.

The real problem is that he was charged with a crime he probably didn't commit. he -WASN'T- charged with the crime he did commit which is "Unauthorized Access". See:

http://www.groklaw.net/article.php?story=200412170 91956894

for an article by a real lawyer about it. Further links are provided at groklaw.net.

In this case I think the judge is right and the prosecution screwed up royally. They need to charge him with the crime he committed and not some other crime that may have been committed by his customers or associates.

But one thing I -DO- agree with in many previous posts is that the CAN-SPAM act is simply legalizing spam and making it harder to prosecute.

You can legally send spam advertizing teen sluts and action wives as long as the pictures they send you really do confirm that they look like teen sluts and action wives. Then just have an opt-out list and you're perfectly legal. There is no requirement that the opt-out list actually works other than that list can't email you again. No problem there. Just start up a new list every day and name your new business $RAYDAYenterprises.com or something like that so you get 21enterprises or 351mustang or 23skidoo or whatever. As long as its a different list you're covered under the law because the law says nothing about removing "removees" from any other list or not giving or selling "removees" email addresses.

The CAN-SPAM act is basically a call-to-arms for spammers to march headfirst into battle. And your spam filter is the only thing between you and the spammers and the law that protects the spammers.

Re:Judge had AOL

[ScrewMaster]

Yes, but on the other hand he had the good sense to get rid of it. That's probably more than a lot of judges can say.

Simple use equates to deception

[droleary]

An email address that I give to AOL (or Slashdot or whoever) implies that the party so "gifted" is who I expect to send me email at that address. I'm sure many here go as far as actually creating email addresses keyed to a site (e.g., foobar+slashdot@example.com), but all email addresses should be considered non-transferable, even without those special measures. If I get an email to an address given to Slashdot that doesn't come from Slashdot, I have been deceived.

Well what do you know...

[MXK]

...reverse psychology does work!

Howl! Gnash!

[TiggertheMad]

He stole a list of e-mail addresses. Isn't that theft?

No, the **IA is EVIL! It's a backup copy! I bought it several years agon on vinyl, and so I am entitled to a space shifted copy! It isn't theft, because they still have a cop-

WAITAMINUET! I'm sorry. I didn't know that this was a story about spammers...

KILL the spammer! They are bandwidth thieves, stealing a 'commons' from all of us! This guy is a THIEF, he took a copy of a private list! Publish his address someone, so I can mail him a sack of POOP!

plea bargain...

[the-build-chicken]

...wow, wouldn't this suck if it was part of a plea bargin..."plead guilty to can-spam and we'll drop the theft/intellectual property charges"....doh!

Did the Prosecution Let Smathers Slip Away?

[BMcWilliams]

To make matters even more confusing, Smathers originally signed a document, available here, in November saying he agreed to plead guilty to violating 18 USC 2314, Interstate Transportation of Stolen Property. (To this legal sparrow, that seems like an appropriate charge.)

Then, on December 2, Smathers was arraigned instead for violating 18 USC 371, Conspiracy to Defraud the US Government. Smathers pled NOT guilty at the arraignment.

Then we have today's proceedings, with Smathers trying to enter a guilty plea, apparently to violating CAN-SPAM.

An "information" documentfiled at his arraignment does suggest Smathers was involved in sending decpetive and misleading spam using the AOL customer list. So maybe there is a CAN-SPAM aspect to this case.

But it really does look like the US Attorney's office was trying too hard to get a CAN-SPAM conviction under its belt.

There may be an interesting reason for this...

[fmaxwell]

The judge himself apparently cancelled his AOL subscription due to receiving too much spam. While he didn't like what Jason did, he wasn't convinced a crime had been committed under the CAN-SPAM law, which requires that a person be deceived.

If "Jason" isn't responsible, perhaps AOL is. If AOL was negligent in their security, then they can be held accountable for the damages that their users suffered. So by not putting the blame on Jason, AOL could be in the judge's sights. This might be a lot smarter move on the part of the judge than anyone realizes. Or I could be totally off-base.