Case is the First Ever Criminal Prosecution for Selling Spyware App in U.S. History. Are Prosecutions of Technology Executives For Cybercrime on The Rise?
On Tuesday November 25, 2014, in United States District Court for the Eastern District of Virginia, Hammad Akbar, the CEO of InvoCode Pvt. Limited, pleaded guilty to the sale of an interception device and the advertisement of a known interception device in violation of the federal Wiretap Act. The Washington Post reported Akbar, a 31 year old Pakistani national, was arrested by the FBI when he entered the United States on September 27, 2014 in Los Angeles, California. According to the indictment, Akbar’s company marketed and sold in the U.S. a spyware application called “StealthGenie” which could be installed to any cellular phone. Once installed, the spyware app could monitor the phone user’s incoming and outgoing calls, text messages, voicemails, photographs, videos and other communications without the permission or knowledge of the cell phone user. Although Akbar is a Danish citizen and lived in Lahore, Pakistan, his company was based in the United Kingdom and the StealthGenie website was hosted at a data center in Ashburn, Virginia. Moreover, the indictment references internal company documents seized by federal investigators in which the company estimated that 65% of its targeted customers would be from the U.S. Federal Judge Leonie M. Brinkema sentenced Akbar on November 25th to time served (10 days in jail) and ordered him to pay a $500,000 fine. Meanwhile, PCWorld.com reported that in a separate civil action a federal judge in Virginia granted a temporary injunction against the StealthGenie website.
Federal prosecutors heralded this case in a Department of Justice press release as a watershed moment in cybercrime enforcement because it marks the first criminal conviction in U.S. history for the advertisement and sale of a spyware app. As a part of his guilty plea, Akbar admitted to advertising the StealthGenie app through his website and selling the app on December 12, 2012, to an undercover FBI Agent, posing as a customer. The StealthGenie app has capabilities that should make any personal privacy advocate shudder with fear. For example once someone purchased the StealthGenie app, the purchaser would only need to temporarily get possession of the target cell phone to install the stalker app. The app would then run in the background without the cell phone user being aware of the app‘s presence. The purchaser then could monitor the target cell phone using the internet. The purchaser also could listen to recordings of incoming and outgoing calls and could even use the cell phone’s microphone to ease drop on surrounding conversations taking place within 15 feet of the target cell phone, even if the target cell phone was not being used for a telephone call.
This kind of incredible spy capability has been dramatized and foretold on television. On the HBO hit series “The Newsroom,” episode 8, which aired in August of 2012, the show envisioned such a scenario in a scene inspired by the NSA/Edward Snowden scandal. In the fictional scene, the cable news director Charlie Skinner was meeting with a NSA whistleblower Solomon Hancock at the New York City Public Library. The dialogue was incredibly foretelling:
Solomon Hancock: “Would you mind taking the battery out of your cell phone?”
Charlie Skinner: “The walls in the New York Public Library are three feet thick!”
Solomon Hancock: “Sometimes at the NSA, we download a rolling bug on smartphones to slay the microphone.”
The StealthGenie prosecution comes on the heels of a pair of recent convictions of Northern Virginia software executives for violations of the Computer Fraud and Abuse Act (“CFAA”). On May 21, 2014, DOJ announced in a press release that Ariel Friedler, 36 of Arlington, Virginia, and former CEO of Symplicity Corporation, pleaded guilty to conspiracy to intentionally hacking into two of his competitors’ computer systems in violation of 18 U.S.C. Section 1030. U.S. District Judge Anthony Trenga sentenced Friedler to 2 months’ incarceration, followed by one year of supervised release and imposed a $250,000 fine and ordered Friedler to pay approximately $275,000 in restitution. Symplicity’s former chief technology officer, Alok Dhir also pleaded guilty to conspiracy to violate the CFAA and was sentenced by Judge Trenga to one year of supervised release and 120 hours of community service, a fine of $50,000, and ordered to pay approximately $215,000 in restitution. According to Pando.com, Symplicity Corporation was not charged in this case.
A review of recent federal prosecution statistics indicate federal authorities since 2010 have placed a higher priority on prosecuting cyber related crime. For example, according to the Department of Justice, in FY2010 federal prosecutors filed a total of 155 cases against 287 defendants, a 41% increase from FY2009. In FY2013, the latest year for which statics are available, that trend held moderately strong with a slight decline at 146 cases filed against 187 defendants. Clearly the government is serious about prosecuting alleged computer related crimes.
Anyone who runs a business in an internet related industry should be aware of the potential pitfalls which can give rise to criminal charges. Specifically the federal Wiretap Act, 18 U.S.C. Section 2512, prohibits anyone from manufacturing, distributing, possessing and advertising wire, oral or electronic communication intercepting devices, except under extremely limited statutory exceptions. Furthermore, the CFAA 18 U.S.C. Section 1030 among other things prohibits anyone from knowingly and intentionally accessing any protected computer without authorization or accessing it by exceeding authorized permission and by means of such conduct having obtained information without the permission of the owner. Internet based technology companies, especially those doing business as federal contractors should consider bringing in a white collar criminal defense attorney to conduct training on the laws and regulations related to cybercrime, review the adequacy of compliance programs, conduct internal investigations of alleged wrongful conduct and consider whether the self-reporting of such conduct and the company’s efforts to address it are in the company’s best interest.