It's All Bout Da Law
Computer Fraud and Abuse Act
From Wikipedia, the free encyclopedia
The Computer Fraud and Abuse Act (CFAA)[1] was enacted by Congress in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984. It was written to clarify and increase the scope of the previous version of 18 U.S.C. § 1030
while, in theory, limiting federal jurisdiction to cases "with a
compelling federal interest-i.e., where computers of the federal
government or certain financial institutions are involved or where the
crime itself is interstate in nature." (see "Protected Computer",
below). In addition to clarifying a number of the provisions in the
original section 1030, the CFAA also criminalized additional
computer-related acts. Provisions addressed the distribution of
malicious code and denial of service attacks. Congress also included in
the CFAA a provision criminalizing trafficking in passwords and similar
items.[1]
The Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act.
In January 2015 Barack Obama proposed expanding the CFAA and the RICO Act in his Modernizing Law Enforcement Authorities to Combat Cyber Crime proposal.[2] DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren have stated opposition to this on the grounds it will make many regular Internet activities illegal, and moves further away from what they were trying to accomplish with Aaron's Law.[3][4]
The Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act.
In January 2015 Barack Obama proposed expanding the CFAA and the RICO Act in his Modernizing Law Enforcement Authorities to Combat Cyber Crime proposal.[2] DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren have stated opposition to this on the grounds it will make many regular Internet activities illegal, and moves further away from what they were trying to accomplish with Aaron's Law.[3][4]
Contents
Protected computers
The only computers, in theory, covered by the CFAA are defined as "protected computers". They are defined under section 18 U.S.C. § 1030(e)(2) to mean a computer:- exclusively for the use of a financial institution or the United States Government, or any computer, when the conduct constituting the offense affects the computer's use by or for the financial institution or the Government; or
- which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States...
Criminal offenses under the Act
(a) Whoever—- (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
- (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
- (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
- (B) information from any department or agency of the United States; or
- (C) information from any protected computer;
- (3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
- (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
- (5)
- (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
- (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
- (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
- (6) knowingly and with intent to defraud traffics (as defined in
section 1029) in any password or similar information through which a
computer may be accessed without authorization, if—
- (A) such trafficking affects interstate or foreign commerce; or
- (B) such computer is used by or for the Government of the United States;
- (7) with intent to extort from any person any money or other thing
of value, transmits in interstate or foreign commerce any communication
containing any—
- (A) threat to cause damage to a protected computer;
- (B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
- (C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion[6]
Specific sections
- Espionage Act of 1917, with the notable addition being that it also covers information related to "Foreign Relations", not simply "National Defense" like the Espionage Act. : Computer Espionage. This section takes much of its language from the
- : Computer trespassing, and taking government, financial, or commerce info
- : Computer trespassing in a government computer
- : Committing fraud with computer
- : Damaging a protected computer (including viruses, worms)
- : Trafficking in passwords of a government or commerce computer
- : Threatening to damage a protected computer
- : Conspiracy to violate (a)
- : Penalties
Notable cases and decisions referring to the Act
- United States v. Riggs, brought against people associated with Phrack magazine for obtaining a document (known as the "E911 document") about information on BellSouth products implementing 911 emergency telephone services, a case described in Bruce Sterling's "Hacker Crackdown of 1990". The government dropped the case after it was revealed that the document was on sale by AT&T for $13.
- United States v. Morris (1991), 928 F.2d 504, decided March 7, 1991. After the release of the Morris worm, an early computer worm, its creator was convicted under the Act for causing damage and gaining unauthorized access to "federal interest" computers. The Act was amended in 1996, in part, to clarify language whose meaning was disputed in the case.[7]
- Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit), holding that the use of a civil subpoena which is "patently unlawful," "in bad faith," or "at least gross negligence" to gain access to stored email is a breach of both the CFAA and the Stored Communications Act.[8]
- International Airport Centers, L.L.C. v. Citrin, 2006, , in which Jacob Citrin deleted files from his company computer before he quit, in order to conceal alleged bad behavior while he was an employee.[9]
- LVRC Holdings v. Brekka, 2009 1030(a)(2), 1030(a)(4), in which LVRC sued Brekka for allegedly taking information about clients and using it to start his own competing business.[10][11]
- Robbins v. Lower Merion School District (U.S. Eastern District of Pennsylvania), where plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, violating the Act. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.[12][13]
- United States v. Lori Drew, 2008. The cyberbullying case involving the suicide of a girl harassed on myspace. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using against someone violating a terms of service agreement would make the law overly broad. 259 F.R.D. 449 [14][15]
- People v. SCEA, 2010. Class action lawsuit against Sony for removing OtherOS, the ability to install and run Linux (or other operating systems) on the PlayStation 3. Consumers were given the option to either keep OtherOS support or not. SCEA was allegedly in violation of this Act because if the consumers updated or not, they would still lose system functionality.[16]
- United States v. Drake, 2010. Drake was part of a whistle-blowing effort inside the NSA to expose waste, fraud, and abuse with the Trailblazer Project. He talked to a reporter about the project. He was originally charged with five Espionage Act counts for doing this. These charges were dropped just before his trial was to begin, and instead he pleaded guilty to one misdemeanor count of violating the CFAA, (a)(2), unauthorized access.
- United States v. Manning, 2010-. Chelsea Manning was a soldier who allegedly disclosed tens of thousands of documents to those 'not entitled to receive' them. Among the 34 counts against her, there are several under (a)(1) and (a)(2) of the CFAA, some specifically linked to files like the Reykjavik 13 State Department cable and a video of the July 12, 2007 Baghdad airstrike.[17]
- Grand Jury investigation in Cambridge, 2011. Unknown persons were listed in Grand Jury hearings in Cambridge, Massachusetts, regarding potential charges under the CFAA, as well as the Espionage Act. Journalist Glenn Greenwald has written these were likely related to Wikileaks.[18]
- United States v. Collins et al, 2011. A group of men and women connected to the collective Anonymous signed a plea deal to charges of conspiring to disrupt access to the payment website PayPal in response to the payment shutdown to Wikileaks over the Wau Holland Foundation which was part of a wider Anonymous campaign, Operation Payback.[19][20] They later became known under the name PayPal 14.
- United States v. Aaron Swartz, 2011. Aaron Swartz allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from JSTOR. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as MAC address spoofing. He was indicted for violating CFAA provisions (a)(2), (a)(4), (c)(2)(B)(iii), (a)(5)(B), and (c)(4)(A)(i)(I),(VI).[21] The case was dismissed after Swartz committed suicide in January 2013.[22]
- Sony Computer Entertainment America v. George Hotz and Hotz v. SCEA, 2011. SCEA sued "Geohot" and others for jailbreaking the PlayStation 3 system. The lawsuit alleged, among other things, that Hotz violated ([by] taking info from any protected computer). Hotz denied liability and contested the Court's exercise of personal jurisdiction over him.[23] The parties settled out of court. The settlement caused Geohot to be unable to legally hack the PlayStation 3 system furthermore.
- United States v. Nosal, 2011. Nosal and others allegedly accessed a protected computer to take a database of contacts from his previous employer for use in his own business, violating 1030(a)(4)[24][25] This is a complex case with two trips to the Ninth Circuit, and another seen as likely after the latest conviction in 2013.[26]
- Lee v. PMSI, Inc., 2011. PMSI, Inc. sued former employee Lee for violating the CFAA by browsing Facebook and checking personal email in violation of the company's acceptable use policy. The court found that breaching an employer's acceptable use policy was not "unauthorized access" under the act and, therefore, did not violate the CFAA.
- United States v. Peter Alfred-Adekeye 2011. Adekeye allegedly violated (a)(2), when he allegedly downloaded CISCO IOS, allegedly something that the CISCO employee who gave him an access password did not permit. Adekeye was CEO of Multiven and had accused CISCO of anti-competitive practices.[27]
- Pulte Homes, Inc. v. Laborers' International Union 2011. Pulte Homes brought a CFAA suit against the Laborers' International Union of North America (LIUNA). After Pulte fired an employee represented by the union, LIUNA urged members to call and send email to the company, expressing their opinions. As a result of the increased traffic, the company's email system crashed.[28][29]
- United States v Sergey Aleynikov, 2011. Aleynikov was a programmer at Goldman Sachs accused of copying code, like high-frequency trading code, allegedly in violation of 1030(a)(2)(c) and 1030(c)(2)(B)i-iii and 2. This charge was later dropped, and he was instead charged with theft of trade secrets and transporting stolen property.[30][31]
- United States v Nada Nadim Prouty, circa 2010.[32] Prouty was an FBI and CIA agent who was prosecuted for having a fraudulent marriage to get US residency. She claims she was persecuted by a U.S. attorney who was trying to gain media coverage by calling her a terrorist agent and get himself promoted to a federal judgeship.[33]
- United States v. Neil Scott Kramer, 2011. Kramer was a court case where a cellphone was used to coerce a minor into engaging sex with an adult. Central to the case was whether a cellphone constituted a computer device. Ultimately, the United States Court of Appeals for the Eighth Circuit found that a cell phone can be considered a computer if "the phone perform[s] arithmetic, logical, and storage functions", paving the way for harsher consequences for criminals engaging with minors over cellphones.[34]
- United States v. Kane, 2011. Exploiting a software bug in a poker machine does not constitute hacking[35] because the poker machine in question was not a “protected computer” under the statute (not being connected to the Internet it was judged not to qualify as "protected computer" affecting interstate commerce) and because the sequence of button presses that triggered the bug were considered "not exceed their authorized access." As of November 2013 the defendant still faces a regular wire fraud charge.[36]
- Craigslist v. 3Taps, 2012. 3Taps was accused by Craigslist of breaching CFAA by circumventing an IP block in order to access Craigslist's website and scrape its classified ads without consent. In August 2013, US federal judge found 3Taps's actions violated CFAA and that it faces civil damages for “unauthorized access”. Judge Breyer wrote in his decision that "the average person does not use “anonymous proxies” to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter".[37][38] He also noted "Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public v. nonpublic distinction — but [the relevant section] contains no such restrictions or modifiers."[39]
Aaron Swartz
The government was able to bring such disproportionate charges
against Aaron because of the broad scope of the Computer Fraud and Abuse
Act (CFAA) and the wire fraud statute. It looks like the government
used the vague wording of those laws to claim that violating an online
service’s user agreement or terms of service is a violation of the CFAA
and the wire fraud statute.
Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.
When our laws need to be modified, Congress has a responsibility to act. A simple way to correct this dangerous legal interpretation is to change the CFAA and the wire fraud statutes to exclude terms of service violations. I will introduce a bill that does exactly that.
Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.
When our laws need to be modified, Congress has a responsibility to act. A simple way to correct this dangerous legal interpretation is to change the CFAA and the wire fraud statutes to exclude terms of service violations. I will introduce a bill that does exactly that.
Rep. Zoe Lofgren, Jan 15, 2013 [40]
Wikisource has original text related to this article:
|
In addition to Lofgren, Representative Darrell Issa and Representative Jared Polis—all on the House Judiciary Committee, raised questions about the government's handling of the case. Polis called the charges "ridiculous and trumped up," while referring to Swartz as a "martyr."[43] Issa, also chair of the House Oversight Committee, announced that he is investigating the actions of the Justice Department's prosecution.[43][44]
As of May 2014, Aaron's Law was stalled in committee, reportedly due to tech company Oracle's financial interests.[45]
Amendments history
2008[1]- Eliminated the requirement that information must have been stolen through an interstate or foreign communication, thereby expanding jurisdiction for cases involving theft of information from computers;
- Eliminated the requirement that the defendant’s action must result in a loss exceeding $5,000 and created a felony offense where the damage affects ten or more computers, closing a gap in the law;
- Expanded 18 U.S.C. § 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats to (1) steal data on a victim's computer, (2) publicly disclose stolen data, or (3) not repair damage the offender already caused to the computer;
- Created a criminal offense for conspiring to commit a computer hacking offense under section 1030;
- Broadened the definition of “protected computer” in 18 U.S.C. § 1030(e)(2) to the full extent of Congress’s commerce power by including those computers used in or affecting interstate or foreign commerce or communication; and
- Provided a mechanism for civil and criminal forfeiture of property used in or derived from section 1030 violations.
See also
- Defense Secrets Act of 1911 / Espionage Act of 1917 / McCarran Internal Security Act 1950
- California Comprehensive Computer Data Access and Fraud Act
- Electronic Communications Privacy Act
- LVRC Holdings v. Brekka
- In re DoubleClick
- MBTA v. Anderson
- Information technology audit
- Computer security audit
- Computer fraud case studies
- The Hacker Crackdown (mentions the law, & the eponymous Chicago task force)
- Protected Computer
- Wikileaks
- Weev
References
- Dekel, Jonathan (May 1, 2014). "Swartz doc director: Oracle and Larry Ellison killed Aaron’s Law". Postmedia.
External links
- 18 U.S.C. § 1030, text of the law
- Cybercrime: A Sketch of 18 U.S.C. 1030 and Related Federal Criminal Laws, by Charles Doyle, CRS, 12 27 2010, (FAS.org)
Crying Like Da Bitch
Computer Fraud And Abuse Act Reform
After the tragic death of programmer and Internet activist Aaron Swartz, EFF calls to reform the infamously problematic Computer Fraud and Abuse Act (CFAA). In June 2013, Aaron's Law, a bipartisan bill to make common sense changes to the CFAA was introduced by Reps. Lofgren and Sensenbrenner. You can help right now by emailing your Senator and Representative to reform the draconian computer crime law.
The CFAA is the federal anti-hacking law. Among other things, this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what "without authorization" actually means. The statute does attempt to define "exceeds authorized access," but the meaning of that phrase has been subject to considerable dispute. While the CFAA is primarily a criminal law intended to reduce the instances of malicious hacking, a 1994 amendment to the bill allows for civil actions to be brought under the staute.
Creative prosecutors have taken advantage of this confusion to bring criminal charges that aren't really about hacking a computer, but instead target other behavior prosecutors dislike. For example, in cases like United States v. Drew and United States v. Nosal the government claimed that violating a private agreement or corporate policy amounts to a CFAA violation. This shouldn't be the case. Compounding this problem is the CFAA's disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient "authorization" can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison. The excessive penalties were a key factor in the government's case against Aaron Swartz, where eleven out of thirteen alleged crimes were CFAA offenses, some of which were "unauthorized" access claims.
EFF is championing reforms to the CFAA. These suggestions expand on Zoe Lofgren's terrific draft bill known as Aaron's Law. We will expand on this and address other flaws of the CFAA, as well.
Our proposals
Additional Suggestions for improving the Penalty Scheme
The CFAA is the federal anti-hacking law. Among other things, this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what "without authorization" actually means. The statute does attempt to define "exceeds authorized access," but the meaning of that phrase has been subject to considerable dispute. While the CFAA is primarily a criminal law intended to reduce the instances of malicious hacking, a 1994 amendment to the bill allows for civil actions to be brought under the staute.
Creative prosecutors have taken advantage of this confusion to bring criminal charges that aren't really about hacking a computer, but instead target other behavior prosecutors dislike. For example, in cases like United States v. Drew and United States v. Nosal the government claimed that violating a private agreement or corporate policy amounts to a CFAA violation. This shouldn't be the case. Compounding this problem is the CFAA's disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient "authorization" can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison. The excessive penalties were a key factor in the government's case against Aaron Swartz, where eleven out of thirteen alleged crimes were CFAA offenses, some of which were "unauthorized" access claims.
EFF is championing reforms to the CFAA. These suggestions expand on Zoe Lofgren's terrific draft bill known as Aaron's Law. We will expand on this and address other flaws of the CFAA, as well.
Our proposals
- Proposal Language
- An Overview
- Part 1: No Prison Time For Violating Terms of Service
- Part 2: Protect Tinkerers, Security Researchers, Innovators, and Privacy Seekers
- Part 3: The Punishment Should Fit the Crime
- The CFAA Hampers Security Research
- The CFAA Stifles Innovation
- The CFAA Must Allow for Anonymity and Privacy
Additional Suggestions for improving the Penalty Scheme
Reporting Computer, Internet-related, Or Intellectual Property Crime
Internet-related crime, like any other
crime, should be reported to appropriate law enforcement
investigative authorities at the local, state, federal, or
international levels, depending on the scope of the crime.
Citizens who are aware of federal crimes should report them to local
offices of federal law enforcement.
reporting computer hacking, fraud and other internet-related crime
The primary federal law enforcement
agencies that investigate domestic crime on the Internet include:
the Federal Bureau of Investigation (FBI), the United States Secret
Service, the United States Immigration and Customs Enforcement
(ICE) , the United States Postal Inspection Service, and the Bureau of
Alcohol, Tobacco and Firearms (ATF) . Each of these agencies has
offices conveniently located in every state to which crimes may
be reported. Contact information regarding these local offices may be
found in local telephone directories. In general, federal crime
may be reported to the local office of an appropriate law
enforcement agency by a telephone call and by requesting the "Duty
Complaint Agent.
Each law enforcement agency also has a
headquarters (HQ) in Washington, D.C., which has agents who
specialize in particular areas. For example, the FBI and the U.S. Secret
Service both have headquarters-based specialists in computer
intrusion (i.e., computer hacker) cases.
To determine some of the federal
investigative law enforcement agencies that may be appropriate
for reporting certain kinds of crime, please refer to the following
table:
Type of Crime | Appropriate federal investigative law enforcement agencies |
Computer intrusion (i.e. hacking) | |
Password trafficking | |
Counterfeiting of currency | |
Child Pornography or Exploitation | |
Child Exploitation and Internet Fraud matters that have a mail nexus | |
Internet fraud and SPAM | |
Internet harassment | |
Internet bomb threats | |
Trafficking in explosive or incendiary devices or firearms over the Internet |
- The Internet Crime Complaint Center (IC3) The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). IC3's mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime. The IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations. For law enforcement and regulatory agencies at the federal, state, and local level, IC3 provides a central referral mechanism for complaints involving Internet related crimes.
- Department of Homeland Security's National Infrastructure Coordinating Center: (202) 282-9201 (report incidents relating to national security and infrastructure issues)
- U.S. Computer Emergency Readiness Team (U.S. CERT) (online reporting for technicians)
Reporting Intellectual Property Crime
Type of Crime | Appropriate federal investigative law enforcement agencies |
Copyright piracy (e.g., software, movie, sound recordings)
|
|
Trademark counterfeiting
|
|
Theft of trade secrets /Economic Espionage
|
- Reporting Intellectual Property Crime: A Guide for Victims of Counterfeiting, Copyright Infringement, and Theft of Trade Secrets" (PDF) This guide is contained in Appendix C of the Report of the Department of Justice's Intellectual Property Task Force (October 2004) (PDF). The guide also contains the following checklists for reporting intellectual property crime to law enforcement: Checklist for Reporting a Copyright Infringement or Counterfeit Trademark Offense (PDF) Checklist for Reporting a Theft of Trade Secrets Offense (PDF)
- Other Government Initiatives to Combat Cybercrime
National Intellectual Property Rights Coordination Center
The IPR Coordination Center's responsibilities include:- Coordinating U.S. government domestic and international law enforcement activities involving IPR issues.
- Serving as a collection point for intelligence provided by private industry, as well as a channel for law enforcement to obtain cooperation from private industry (in specific law enforcement situations).
- Integrating domestic and international law enforcement intelligence with private industry information relating to IPR crime, and disseminating IPR intelligence for appropriate investigative and tactical use.
- Developing enhanced investigative, intelligence and interdiction capabilities.
- Serving as a point of contact regarding IPR law enforcement related issues.
The stopfakes.gov website provides information to consumers and businesses on intellectual property, including information on how to report trade in fake goods.
Those with specific information regarding intellectual property crime can submit an IPR Coordination Center Complaint Referral Form.
Updated May 26, 2015
| 950 Pennsylvania Avenue, NW Washington, DC 20530-0001
H. Marshall Jarrett
Director, EOUSA
Michael W. Bailie
Director, OLE
OLE
Litigation
Series
Ed Hagen
Assistant Director,
OLE
Scott Eltringham
Computer Crime
and Intellectual
Property Section
Editor in Chief
P
H. Marshall Jarrett
Director, EOUSA
Michael W. Bailie
Director, OLE
OLE
Litigation
Series
Ed Hagen
Assistant Director,
OLE
Scott Eltringham
Computer Crime
and Intellectual
Property Section
Editor in Chief
Prosecuting
Computer
Crimes
Computer Crime and
Intellectual Property Section
Criminal Division
Published by
Office of Legal Education
Executive Office for
United States Attorneys
The Office of Legal Education intends that this book
be used by Federal prosecutors for training and law
enforcement purposes
.
The contents of this book provide internal suggestions to
Department of Justice attorneys. Nothing in it is intended
to create any substantive or procedural rights, privileges, or
benefits enforceable in any administrative, civil, or crimina
iii
Table of Contents
Preface and Acknowledgements
....................................................................
v
Chapter 1. Computer Fraud and Abuse Act
..........................................
1
A.
K
ey Definitions
.........................................................
..............................................
4
B.
O
btaining National Security Information
..........
§
1030(a)(1)
....................
12
C.
A
ccessing a Computer and Obtaining
Information
................................................................
§
1030(a)(2)
....................
16
D.
T
respassing in a Government Computer
............
§
1030(a)(3)
....................
23
E.
A
ccessing to Defraud and Obtain Value
.............
§
1030(a)(4)
....................
26
Scope:
Connecticut laws/regulations;
June 28, 2012 |
2012-R-0254
| |
PENALTIES FOR COMPUTER HACKING
| ||
By: Christopher Reinhart, Chief Attorney
|
SUMMARY
Someone who hacks into another person's computer could be punished by a number of different crimes, depending on the circumstances. The law punishes hacking under the computer crime statutes. These crimes carry penalties ranging from a class B misdemeanor (punishable by up to six months in prison, a fine of up to $1,000, or both) to a class B felony (punishable by up to 20 years in prison, a fine of up to $15,000, or both). The law also punishes unauthorized access to a computer or computer network, with penalties ranging from a class B misdemeanor to a class D felony (punishable by up to five years in prison, a fine of up to $5,000, or both).
A number of generally applicable crimes could also apply. For example, hacking could be done to commit identity theft or larceny and it could be punished under those generally applicable crimes.
In addition to criminal penalties, the law specifically authorizes someone harmed by a computer or unauthorized use crime to bring a civil lawsuit against the perpetrator. These civil actions are in addition to any other grounds for a civil action that the injured party may have.
COMPUTER CRIMES
A person commits a “computer crime” when he or she:
1. accesses a computer system without authorization;
2. accesses or uses a computer system to obtain unauthorized computer services (including computer access, data processing, and data storage);
3. intentionally or recklessly disrupts, degrades, or causes disruption or degradation of computer services or denies or causes denial of computer services to an authorized user; or
4. intentionally or recklessly tampers with, takes, transfers, conceals, alters, or damages any equipment used in a computer system.
It is also a computer crime to misuse computer system data. A person commits this crime by:
1. accessing a computer system to use, disclose, or copy data residing in, communicated by, or produced by a computer system;
2. intentionally or recklessly and without authorization (a) tampering with, damaging, or taking data intended for use by a computer system or (b) intercepting or adding to data residing within a computer system;
3. knowingly receiving or retaining data obtained through misuse of computer system information; or
4. using or disclosing data he or she knows or believes was obtained through misuse of computer system information (CGS § 53a-251).
The punishment for committing one of these computer crimes depends on the damage caused and risk of harm created. Table 1 displays the five degrees of computer crime, the amount of damage or harm required for each, and their penalties.
Table 1: Degrees of Computer Crime and the Requirements for Each Penalty (CGS § 53a-252 et seq.)
Degree of Computer Crime | Amount of Damage or Harm Required | Penalty |
1st degree | Damage to or the value of the property or computer services is over $10,000 | B felony (up to 20 years in prison, a fine of up to $15,000, or both) |
2nd degree | Damage to or the value of the property or computer services is over $5,000 | C felony (up to 10 years in prison, a fine of up to $10,000, or both) |
3rd degree | ● Damage to or the value of the property or computer services is over $1,000 ● Reckless conduct that creates a risk of serious physical injury to another person |
D felony (up to five years in prison, a fine of up to $5,000, or both) |
4th degree | Damage to or the value of the property or computer services is over $500 | A misdemeanor (up to one year in prison, a fine of up to $2,000, or both) |
5th degree | Damage to or the value of the property or computer services, if any, is $500 or less | B misdemeanor (up to six months in prison, a fine of up to $1,000, or both) |
The law allows the court to require someone convicted of a computer crime to pay up to double the amount of the defendant's gain from the crime, instead of paying a fine (CGS § 53a-257).
The law gives Connecticut courts jurisdiction whenever any act in furtherance of a computer crime occurs in this state or any computer system or part of one accessed in a computer crime is located in this state (CGS § 53a-261).
UNAUTHORIZED USE OF COMPUTER OR COMPUTER NETWORK
It is a crime to use a computer or computer network without authority and with the intent to:
1. temporarily or permanently remove, halt, or disable computer data, programs, or software;
2. cause a computer to malfunction;
3. alter or erase computer data, programs, or software;
4. create or alter a financial instrument or an electronic funds transfer;
5. cause physical injury to another's property;
6. make or cause to be made an unauthorized copy of computer data, programs, or software residing in, communicated by, or produced by a computer or computer network; or
7. falsify or forge email information or other routing information in any manner in connection with the transmission of unsolicited bulk email through or into the computer network of an electronic mail service provider or its subscribers.
This crime is a class B misdemeanor but if the person causes over $2,500 in property damage it is a (1) class A misdemeanor if the person acted with reckless disregard for the consequences of his or her actions and (2) class D felony if the person acted maliciously (CGS § 53-451).
TERRORISM
The law makes it a class B felony if a person commits a computer crime or unauthorized use of a computer or computer network with intent to intimidate or coerce the civilian population or a unit of government. When the crime is directed against a public safety agency, the law imposes a five year mandatory minimum sentence (CGS § 53a-301).
OTHER CRIMES
Depending on the circumstances, a person who hacks into another's computer could be punished by a number of generally applicable crimes.
For example, if the hacking is done to take personal identifying information for certain purposes, it could be punishable as identity theft. Penalties for identity theft range from a class D to class B felony, primarily based on the value of property taken through the use of personal identifying information and the victim's age (CGS § 53a-129a).
A person could also hack into a computer to commit larceny. Larceny is intentionally and wrongfully taking, obtaining, or withholding property from an owner in order to appropriate it to himself, herself, or another. The penalties for larceny range from a class C misdemeanor (punishable by up to three months in prison, a fine of up to $500, or both) to a class B felony, primarily based on the value of the property taken (CGS § 53a-118 et seq.).
CIVIL ACTIONS
The law specifically authorizes someone harmed by a computer or unauthorized use crime to bring a civil lawsuit against the perpetrator. These civil actions are in addition to any other grounds for a civil action that the injured party may have.
Computer Crime
Anyone who believes a person has engaged, is engaging, or is about to engage in a computer crime can file a civil action for (1) a temporary or permanent order preventing the activity; (2) restitution; or (3) appointment of a receiver.
A person who suffers a personal injury or damage to his or her business or property can also bring an action for damages. The person can recover actual damages, unjust enrichment, triple damages if the defendant acted wilfully and maliciously, reasonable costs, and reasonable attorney's fees (CGS § 52-570b).
Unauthorized Use
A person whose property or person is injured by unauthorized use of a computer or computer network can bring a civil action to enjoin further violations and to recover actual damages, including lost profits, and the costs of the action (CGS § 53-452). The attorney general can also bring an action (CGS § 53-453).
CR:ro
Computer and network surveillance
From Wikipedia, the free encyclopedia
This
article is about monitoring of computer and network activity. For
information on methods of preventing unauthorized access to computer
data, see computer security.
Main article: Surveillance
Computer and network surveillance is the monitoring of computer activity and data stored on a hard drive, or data being transferred over computer networks such as the Internet.
The monitoring is often carried out covertly and may be completed by
governments, corporations, criminal organizations, or individuals. It
may or may not be legal and may or may not require authorization from a
court or other independent government agency.Computer and network surveillance programs are widespread today and almost all Internet traffic can be monitored for illegal activity.[1]
Surveillance allows governments and other agencies to maintain social control, recognize and monitor threats, and prevent and investigate criminal activity. With the advent of programs such as the Total Information Awareness program, technologies such as high speed surveillance computers and biometrics software, and laws such as the Communications Assistance For Law Enforcement Act, governments now possess an unprecedented ability to monitor the activities of citizens.[2]
However, many civil rights and privacy groups, such as Reporters Without Borders, the Electronic Frontier Foundation, and the American Civil Liberties Union, have expressed concern that with increasing surveillance of citizens we will end up in or are even already in a mass surveillance society, with limited political and/or personal freedoms. Such fear has led to numerous lawsuits such as Hepting v. AT&T.[2][3] The hacktivist group Anonymous has hacked into government websites in protest of what it considers "draconian surveillance".[4][5]
Contents
Network surveillance
Internet |
---|
An Opte Project visualization of routing paths through a portion of the Internet
|
Internet portal |
See also: Signals intelligence
The vast majority of computer surveillance involves the monitoring of data and traffic on the Internet.[6] For example, in the United States, the Communications Assistance For Law Enforcement Act,
mandates that all phone calls and broadband internet traffic (emails,
web traffic, instant messaging, etc.) be available for unimpeded,
real-time monitoring by Federal law enforcement agencies.[7][8][9]Packet capture (also known as "packet sniffing") is the monitoring of data traffic on a computer network.[10] Data sent between computers over the Internet or between any networks takes the form of small chunks called packets, which are routed to their destination and assembled back into a complete message. A Packet Capture Appliance intercepts these packets, so that they may be examined and analyzed. Computer technology is needed to perform traffic analysis and sift through intercepted data to look for important/useful information. Under the Communications Assistance For Law Enforcement Act, all U.S. telecommunications providers are required to install such packet capture technology so that Federal law enforcement and intelligence agencies are able to intercept all of their customers' broadband Internet and voice over Internet protocol (VoIP) traffic.[11]
There is far too much data gathered by these packet sniffers for human investigators to manually search through. Thus, automated Internet surveillance computers sift through the vast amount of intercepted Internet traffic, filtering out,[12] and reporting to investigators those bits of information which are "interesting", for example, the use of certain words or phrases, visiting certain types of web sites, or communicating via email or chat with a certain individual or group.[13] Billions of dollars per year are spent by agencies such as the Information Awareness Office, NSA, and the FBI, for the development, purchase, implementation, and operation of systems which intercept and analyze this data, extracting only the information that is useful to law enforcement and intelligence agencies.[14]
Similar systems are now used by Iranian secret police to identify and suppress dissidents. All of the technology has been allegedly installed by German Siemens AG and Finnish Nokia.[15]
The Internet's rapid development has become a primary form of communication. More people are potentially subject to Internet surveillance. There are advantages and disadvantages to network monitoring. For instance, systems described as "Web 2.0"[16] have greatly impacted modern society. An advantage to online surveillance is that large social media platforms, such as YouTube, Twitter and Facebook, enable people to contact friends, family, and strangers daily. Tim O’ Reilly, who first explained the concept of "Web 2.0",[16] stated that Web 2.0 provides communication platforms that are "user generated", with self-produced content, motivating more people to communicate with friends online.[17] However, Internet surveillance also has a disadvantage. One researcher from Uppsala University said "Web 2.0 surveillance is directed at large user groups who help to hegemonically produce and reproduce surveillance by providing user-generated (self-produced) content. We can characterize Web 2.0 surveillance as mass self-surveillance".[18] Surveillance companies monitor people while they are focused on work or entertainment. This can emotionally affect people; this is because it can cause emotions like jealousy. A research group states "...we set out to test the prediction that feelings of jealousy lead to ‘creeping’ on a partner through Facebook, and that women are particularly likely to engage in partner monitoring in response to jealousy".[19] The study shows that women can become jealous of other people when they are in an online group.
Corporate surveillance
See also: Computer surveillance in the workplace
Corporate surveillance of computer activity is very common. The data
collected is most often used for marketing purposes or sold to other
corporations, but is also regularly shared with government agencies. It
can be used as a form of business intelligence,
which enables the corporation to better tailor their products and/or
services to be desirable by their customers. Or the data can be sold to
other corporations, so that they can use it for the aforementioned
purpose. Or it can be used for direct marketing purposes, such as
targeted advertisements, where ads are targeted to the user of the
search engine by analyzing their search history and emails[20] (if they use free webmail services), which is kept in a database.[21]One important component of prevention is establishing the business purposes of monitoring, which may include the following: Preventing misuse of resources. Companies can discourage unproductive personal activities such as online shopping or web surfing on company time. Monitoring employee performance is one way to reduce unnecessary network traffic and reduce the consumption of network bandwidth. Promoting adherence to policies. Online surveillance is one means of verifying employee observance of company networking policies. Preventing lawsuits. Firms can be held liable for discrimination or employee harassment in the workplace. Organizations can also be involved in infringement suits through employees that distribute copyrighted material over corporate networks. Safeguarding records. Federal legislation requires organizations to protect personal information. Monitoring can determine the extent of compliance with company policies and programs overseeing information security. Monitoring may also deter unlawful appropriation of personal information, and potential spam or viruses. Safeguarding company assets. The protection of intellectual property, trade secrets, and business strategies is a major concern. The ease of information transmission and storage makes it imperative to monitor employee actions as part of a broader policy. A second component of prevention is determining the ownership of technology resources. The ownership of the firm’s networks, servers, computers, files, and e-mail should be explicitly stated. There should be a distinction between an employee’s personal electronic devices, which should be limited and proscribed, and those owned by the firm.
For instance, Google, the world's most popular search engine, stores identifying information for each web search. An IP address and the search phrase used are stored in a database for up to 18 months.[22] Google also scans the content of emails of users of its Gmail webmail service, in order to create targeted advertising based on what people are talking about in their personal email correspondences.[23] Google is, by far, the largest Internet advertising agency—millions of sites place Google's advertising banners and links on their websites, in order to earn money from visitors who click on the ads. Each page containing Google advertisements adds, reads, and modifies "cookies" on each visitor's computer.[24] These cookies track the user across all of these sites, and gather information about their web surfing habits, keeping track of which sites they visit, and what they do when they are on these sites. This information, along with the information from their email accounts, and search engine histories, is stored by Google to use to build a profile of the user to deliver better-targeted advertising.[23]
The United States government often gains access to these databases, either by producing a warrant for it, or by simply asking. The Department of Homeland Security has openly stated that it uses data collected from consumer credit and direct marketing agencies for augmenting the profiles of individuals that it is monitoring.[21]
Malicious software
For a more detailed discussion of topics mentioned in this section see: Spyware, Computer virus, Trojan (computer security), Keylogger, Backdoor (computing)In addition to monitoring information sent over a computer network, there is also a way to examine data stored on a computer's hard drive, and to monitor the activities of a person using the computer. A surveillance program installed on a computer can search the contents of the hard drive for suspicious data, can monitor computer use, collect passwords, and/or report back activities in real-time to its operator through the Internet connection.[25] Keylogger is an example of this type of program. Normal keylogging programs store their data on the local hard drive, but some are programmed to automatically transmit data over the network to a remote computer or Web server.
There are multiple ways of installing such software. The most common is remote installation, using a backdoor created by a computer virus or trojan. This tactic has the advantage of potentially subjecting multiple computers to surveillance. Viruses often spread to thousands or millions of computers, and leave "backdoors" which are accessible over a network connection, and enable an intruder to remotely install software and execute commands. These viruses and trojans are sometimes developed by government agencies, such as CIPAV and Magic Lantern. More often, however, viruses created by other people or spyware installed by marketing agencies can be used to gain access through the security breaches that they create.[26]
Another method is "cracking" into the computer to gain access over a network. An attacker can then install surveillance software remotely. Servers and computers with permanent broadband connections are most vulnerable to this type of attack.[27] Another source of security cracking is employees giving out information or users using brute force tactics to guess their password.[28]
One can also physically place surveillance software on a computer by gaining entry to the place where the computer is stored and install it from a compact disc, floppy disk, or thumbdrive. This method shares a disadvantage with hardware devices in that it requires physical access to the computer.[29] One well-known worm that uses this method of spreading itself is Stuxnet.[30]
Social network analysis
One common form of surveillance is to create maps of social networks based on data from social networking sites as well as from traffic analysis information from phone call records such as those in the NSA call database,[31] and internet traffic data gathered under CALEA. These social network "maps" are then data mined to extract useful information such as personal interests, friendships and affiliations, wants, beliefs, thoughts, and activities.[32][33][34]Many U.S. government agencies such as the Defense Advanced Research Projects Agency (DARPA), the National Security Agency (NSA), and the Department of Homeland Security (DHS) are currently investing heavily in research involving social network analysis.[35][36] The intelligence community believes that the biggest threat to the U.S. comes from decentralized, leaderless, geographically dispersed groups. These types of threats are most easily countered by finding important nodes in the network, and removing them. To do this requires a detailed map of the network.[34][37]
Jason Ethier of Northeastern University, in his study of modern social network analysis, said the following of the Scalable Social Network Analysis Program developed by the Information Awareness Office:
The purpose of the SSNA algorithms program is to extend techniques of social network analysis to assist with distinguishing potential terrorist cells from legitimate groups of people ... In order to be successful SSNA will require information on the social interactions of the majority of people around the globe. Since the Defense Department cannot easily distinguish between peaceful citizens and terrorists, it will be necessary for them to gather data on innocent civilians as well as on potential terrorists.
— Jason Ethier[34]
Monitoring from a distance
It has been shown that it is possible to monitor computers from a distance, with only commercially available equipment, by detecting the radiation emitted by the CRT monitor. This form of computer surveillance, known as TEMPEST, involves reading electromagnetic emanations from computing devices in order to extract data from them at distances of hundreds of meters.[38][39][40]IBM researchers have also found that, for most computer keyboards, each key emits a slightly different noise when pressed. The differences are individually identifiable under some conditions, and so it's possible to log key strokes without actually requiring logging software to run on the associated computer.[41][42]
And it has also been shown, by Adi Shamir et al., that even the high frequency noise emitted by a CPU includes information about the instructions being executed.[43]
Policeware and govware
Policeware is software designed to police citizens by monitoring discussion and interaction of its citizens.[44] Within the U.S., Carnivore was a first incarnation of secretly installed e-mail monitoring software installed in Internet service providers' networks to log computer communication, including transmitted e-mails.[45] Magic Lantern is another such application, this time running in a targeted computer in a trojan style and performing keystroke logging. CIPAV, deployed by FBI, is a multi-purpose spyware/trojan.The "Consumer Broadband and Digital Television Promotion Act" (CBDTA) was a bill proposed in the United States Congress. CBDTPA was known as the "Security Systems and Standards Certification Act" (SSSCA) while in draft form, and was killed in committee in 2002. Had CBDTPA become law, it would have prohibited technology that could be used to read digital content under copyright (such as music, video, and e-books) without Digital Rights Management (DRM) that prevented access to this material without the permission of the copyright holder.[46]
In German-speaking countries, spyware used or made by the government is sometimes called govware.[47] Some countries like Switzerland and Germany have a legal framework governing the use of such software.[48][49] Known examples include the Swiss MiniPanzer and MegaPanzer and the German R2D2 (trojan).
Surveillance as an aid to censorship
See also: Internet censorship and Internet censorship circumvention
Surveillance and censorship
are different. Surveillance can be performed without censorship, but it
is harder to engage in censorship without some form of surveillance.[50]
And even when surveillance does not lead directly to censorship, the
widespread knowledge or belief that a person, their computer, or their
use of the Internet is under surveillance can lead to self-censorship.[51]In March 2013 Reporters Without Borders issued a Special report on Internet surveillance that examines the use of technology that monitors online activity and intercepts electronic communication in order to arrest journalists, citizen-journalists, and dissidents. The report includes a list of "State Enemies of the Internet", Bahrain, China, Iran, Syria, and Vietnam, countries whose governments are involved in active, intrusive surveillance of news providers, resulting in grave violations of freedom of information and human rights. Computer and network surveillance is on the increase in these countries. The report also includes a second list of "Corporate Enemies of the Internet", Amesys (France), Blue Coat Systems (U.S.), Gamma (UK and Germany), Hacking Team (Italy), and Trovicor (Germany), companies that sell products that are liable to be used by governments to violate human rights and freedom of information. Neither list is exhaustive and they are likely to be expanded in the future.[52]
Protection of sources is no longer just a matter of journalistic ethics. Journalists should equip themselves with a "digital survival kit" if they are exchanging sensitive information online, storing it on a computer hard-drive or mobile phone.[52][53] Individuals associated with high profile rights organizations, dissident groups, protest groups, or reform groups are urged to take extra precautions to protect their online identities.[54]
See also
- Anonymizer, a software system that attempts to make network activity untraceable
- Computer surveillance in the workplace
- Cyber spying
- Differential privacy, a method to maximize the accuracy of queries from statistical databases while minimizing the chances of violating the privacy of individuals.
- ECHELON, a signals intelligence (SIGINT) collection and analysis network operated on behalf of Australia, Canada, New Zealand, the United Kingdom, and the United States, also known as AUSCANNZUKUS and Five Eyes
- GhostNet, a large-scale cyber spying operation discovered in March 2009
- List of government surveillance projects
- Mass surveillance
- Surveillance
National Security Agency surveillance |
---|
|
- Surveillance by the United States government:
- 2013 mass surveillance disclosures, reports about NSA and its international partners' mass surveillance of foreign nationals and U.S. citizens
- Bullrun (code name), a highly classified NSA program to preserve its ability to eavesdrop on encrypted communications by influencing and weakening encryption standards, by obtaining master encryption keys, and by gaining access to data before or after it is encrypted either by agreement, by force of law, or by computer network exploitation (hacking)
- Carnivore, a U.S. Federal Bureau of Investigation system to monitor email and electronic communications
- COINTELPRO, a series of covert, and at times illegal, projects conducted by the FBI aimed at U.S. domestic political organizations
- Communications Assistance For Law Enforcement Act
- Computer and Internet Protocol Address Verifier (CIPAV), a data gathering tool used by the U.S. Federal Bureau of Investigation (FBI)
- Dropmire, a secret surveillance program by the NSA aimed at surveillance of foreign embassies and diplomatic staff, including those of NATO allies
- Magic Lantern, keystroke logging software developed by the U.S. Federal Bureau of Investigation
- Mass surveillance in the United States
- NSA call database, a database containing metadata for hundreds of billions of telephone calls made in the U.S.
- NSA warrantless surveillance (2001–07)
- NSA whistleblowers: William Binney, Thomas Andrews Drake, Mark Klein, Edward Snowden, Thomas Tamm, Russ Tice
- Spying on United Nations leaders by United States diplomats
- Stellar Wind (code name), code name for information collected under the President's Surveillance Program
- Tailored Access Operations, NSA's hacking program
- Terrorist Surveillance Program, an NSA electronic surveillance program
- Total Information Awareness, a project of the Defense Advanced Research Projects Agency (DARPA)
- TEMPEST, codename for studies of unintentional intelligence-bearing signals which, if intercepted and analyzed, may disclose the information transmitted, received, handled, or otherwise processed by any information-processing equipment
References
- Everyone's Guide to By-passing Internet Censorship, The Citizen Lab, University of Toronto, September 2007
External links
- "Selected Papers in Anonymity", Free Haven Project, accessed 16 September 2011.
|
BOTTOM LINE.
I AM GOING TO TRACK YA ALL
FIND YA ALL
TURN YA ALL OVER FOR PROSECUTION.
I'm Making The Call Today Faggots
I'm Making The Call Today Faggots
Ryan. Out.
Tail End
The Beautiful Woman Of Ukraine
United States
| |||||||||||||||||||||||||
Ukraine
| |||||||||||||||||||||||||
France
| |||||||||||||||||||||||||
Germany
| |||||||||||||||||||||||||
Sweden
| |||||||||||||||||||||||||
Canada
| |||||||||||||||||||||||||
Portugal
| |||||||||||||||||||||||||
United Kingdom
| |||||||||||||||||||||||||
Indonesia
| |||||||||||||||||||||||||
Australia
Tanzania In Da House Runnin Wild Down In Da Da Swamp Didn't Yo Mamma Tell Ya All Bout Da Swamp Shelby Cobra Sittin On Chrome While In Tucson, Arizona. There Is Only One Taxi Company. Da Swamps ONLY Choice.
Please Foreword All Comments To: psapatriot@gmail.com At Da Swamps World Corporate Headquarters The Band - Full Concert - 07/20/76 - Casino Arena (OFFICIAL)Roy Haynes Quartet featuring Roland Kirk - Fly Me to the Moon
by 60otaku4
Tupac - Only God Can Judge Me (Official Video)South Central Los Angeles Representing Rickie Lee Jones - Rickie Lee Jones [FULL ALBUM]Aretha Franklin - 23 Greatest Hits Full Album | Best songs of Aretha FranklinThe Rolling Stones Let It Bleed 1969, Remastered Full AlbumJohn Mayall & the Bluesbreakers - The Best of 1964-1969 (Full Album)by candy channel 19Nirvana Live at Reading 1992(full concert) 1080pby Nirvana Kurt-Krist-Daveby bonnodatoB.B. KING, STEVIE RAY VAUGHAN, ERIC CLAPTON - Why I Sing the BluesStevie Ray Vaughan, B B King, Albert King, Paul Butterfield - The Sky Is CryingB.B. KING, STEVIE RAY VAUGHAN SRV, ERIC CLAPTON-Let the Good Times RollTheBill AyersMurder StoryAndPlanOfSmoking25 MillionAmerican Citzens |