What laws are broken??? My email and facebook account were accessed w/o permission..

Status
Not open for further replies.
P

PAgurl

New Member
Here's the short version (sorry, it's still long!)

My ex accessed my email account. I have been seperated from him for 2 yrs and there is NO WAY he knew my password. I have made a point to avoid contact with him whenever possible. He then changed my password, my security questions, deleted emails and all my contacts, in addition to having access to ALL that INFORMATION that accumulates on a 10 year old email account!!!
He also accessed my Facebook account (again, no way he had the password) and reset my password. Once he was in my facebook account he continued to post pictures with comments insulting and degrading members of his own family. He sent at least one message pretending to be me to a man we both knew casually. In the email he said that (I) heard his girlfriend having sex with many other men when we lived nextdoor to her etc etc. He posted comments on photos pretending to be me making fun of his own deceased son (his oldest child died about 5 years ago). He made comments on photos saying that I stole his vehicles from him. (fyi- not the case. lol. I have PA titles for every car I've ever owned!...but I did have to recover three of my own cars from him after our split...longer story than this!)
I have received multiple responses to his comments and postings that are mostly from his family. Comments such as "Now you are going down!" and "If I ever see you I'll personally deck you" and other threatening statements.

I did report this to my state police. I am HOPING they press criminal charges, however I plan on addressing it myself via a civial suit to make the point clear that I WILL NOT tolerate this type of behavior.

Can anyone offer any ideas on any state or even federal statutes that may apply to this case?
(FYI- I have documentation of all his little escapades...and 6 mos ago I got threatening emails from him- i have the printouts. I also have documented the vehicle fiasco and his refusal to return them and threats that he would send them over a cliff if I didn't sign them over to him. The reason I tell you this is that this is not a one time thing with him. He is like a bad penny and keeps popping up. If that impacts my case against him, please let me know.)
 
Clearly, this can be a complex sort of case ... we investigate similar matters all the time.

First question: How do you KNOW it was the ex?

Understand that all because you believe it was him does not mean it WAS him. Facebook accounts are hacked all the time even by complete strangers. I won't go into all the sways it can be done, but absent some definitive PROOF that he unlawfully accessed the accounts, the state will have a hard time making a case. And, to be quite frank, it is very unlikely that the state police will invest the time and money into the court orders and search warrants they might need to make this case. Maybe you'll get lucky and they will find the answers easily or they will have an easy time making the case. I know that out here we probably would do little more than document it and ask for info from Facebook. Absent an obvious smoking gun or a confession, it might not go anywhere.
 
As you describe it, I'm not sure any laws were broken. As mentioned above, it seems there is no proof as to who the suspect is.

Change your passwords frequently and don't use anything that would be easy to guess.
Check your personal computer for the presence of any spyware such as a keylogger.

With what you describe I would be surprised if any law enforcement agency did anything more than simply document the incident. I would not expect even an attempt to get info from Facebook since there isn't enough information to justify a warrant.
 
The first thing you should do is to contact Facebook and the provider of your email account. If you haven't deleted the comments yet, provide the URLs to Facebook. Provide the date and time the events occurred. You need to ask them to preserve their records including the IP address and other relevant information that will indicate who (or what computer) accessed your account during these times. A private lawsuit will be costly but perhaps by using a lawyer or with help from your court clerk, you can obtain an information subpoena to obtain the information above which could lead to further investigation.

It is a good thing to report the incident immediately for documentation purposes. Chances are, unfortunately, that law enforcement may not pursue this case given how many other serious items are on the agenda and it doesn't seem that any threat occurred, e.g. your life may be in danger, etc. I'm hoping some of the above might help you...
 
I hear these complaints a lot about an ex or someone else accessing email accounts or Facebook/Myspace etc either by knowing or guessing passwords.
To my knowledge, doing so is not a violation of any law. Guessing passwords is not "hacking". There may be privacy concerns, but it is what a person does with the information obtained that is significant, not just the fact that it was viewed.
In a case such as this, it would be Facebook's system that was accessed, not the OP's, so there isn't any grounds for complaint. It is up to the OP to ensure a secure password and prevent such things.

I am curious- can anyone point to any particular state statutes regarding access to social websites or email? Obviously there are laws regarding a legitimate hack that circumvents the security of a system, but knowing/guessing passwords is not the same.

Even if this OP could prove who made the comments, I don't believe there is any recourse in this case absent any threats or unauthorized use of personal information. I'm not going to take the time to read it, but I would bet Facebook's terms of service probably touch on this too.
 
Actually, CA has a host of laws that might apply. However, the resources to investigate them are just not there when no threats or loss has occurred.

When I get back home or to the office (at training today) I can find a few that might apply in CA, but I don't know about specifics in PA. I imagine they have similar laws to ours, though.
 
CDW- to be clear, what I am getting at in a scenario like this is that the OP's computer was not compromised or "hacked". The computer is at another location belonging to Facebook, as well as the emails which are obviously web based and not on the OP's personal computer. If there is any hacking done here, the OP is not the victim. Even so, accessing with a password, even if guessed, is not "unauthorized access" as defined.

The only was I see that the OP could be a victim is if threats are made or if personal data is obtained and then used for blackmail, fraud, or identity theft.

The most relevant CA code is 502.
 
Last edited:
There are sections in CA that would apply. Accessing even a social networking site without permission can be criminal in our state. In PA, I do not know, but I suspect it is.

PC 7611 would seem to indicate that this could be a crime

§ 7611. Unlawful use of computer and other computer crimes.
(a) Offense defined.--A person commits the offense of
unlawful use of a computer if he:
(1) accesses or exceeds authorization to access, alters,
damages or destroys any computer, computer system, computer
network, computer software, computer program, computer
database, World Wide Web site or telecommunication device or
any part thereof with the intent to interrupt the normal
functioning of a person or to devise or execute any scheme or
artifice to defraud or deceive or control property or
services by means of false or fraudulent pretenses,
representations or promises;
(2) intentionally and without authorization accesses or
exceeds authorization to access, alters, interferes with the
operation of, damages or destroys any computer, computer
system, computer network, computer software, computer
program, computer database, World Wide Web site or
telecommunication device or any part thereof; or
(3) intentionally or knowingly and without authorization
gives or publishes a password, identifying code, personal
identification number or other confidential information about
a computer, computer system, computer network, computer
database, World Wide Web site or telecommunication device.
(b) Grading.--An offense under this section shall constitute
a felony of the third degree.
(c) Prosecution not prohibited.--Prosecution for an offense
under this section shall not prohibit prosecution under any
other section of this title.

And this,


§ 7612. Disruption of service.
(a) Offense defined.--A person commits an offense if he
intentionally or knowingly engages in a scheme or artifice,
including, but not limited to, a denial of service attack upon
any computer, computer system, computer network, computer
software, computer program, computer server, computer database,
World Wide Web site or telecommunication device or any part
thereof that is designed to block, impede or deny the access of
information or initiation or completion of any sale or
transaction by users of that computer, computer system, computer
network, computer software, computer program, computer server or
database or any part thereof.
(b) Grading.--An offense under this section shall constitute
a felony of the third degree.

And there are probably more.

A great number of laws have popped up in the last few years to criminalize this sort of thing. But, being a technical crime does not necessarily equate to the ability or willingness to investigate or prosecute.

And for CA read PC 502.
 
Last edited:
I had not seen these. 7612 appears to be regarding DoS type attacks, which this is not. That is more along the lines of an attempt to block access to a site such as Facebook.com by means of disabling or overwhelming the servers.

I'm not sure about 7611(a)(1)... but even in that case the OP is not the victim, rather the operator of the servers. No connection has been made to the OP's computer.

The best way I've ever been able to handle these matters is to advise people to keep private information out of the public domain. Storing emails on web based servers is not secure, even with a password. Social networking sites are also not secure, even with passwords and limitations on who your "friends" are. Don't put sensitive information in these places and nobody can hurt you with it.

Unless someone is using some means of circumventing security features to access information, I expect it is unlikely that any entity would investigate. Terms of service everywhere put the burden of password security on the user.
 
The ToS is to protect the provider, it does not absolve a suspect who unlawfully accesses a system from potential criminal liability. I just did a 10 second Google search and found those two PA sections, but I suspect that if those do not apply here, PA has some statutes that do. An ex who has not lived in the home for 2 years and has not had access to the password has almost certainly committed a crime. I suppose he could argue in court that she gave him the password and gave her permission for him to screw it up, but I doubt a jury would buy it.

I present programs on technology and security throughout my county and am the guy that gets consulted on most tech crimes here (the agencies here have a surprising number of Luddites in the investigations units). We do not have the resources to investigate all the complaints, but we look at them to see whether we have ancillary crimes such as criminal threats, larceny, etc. Absent some serious criminal offense, we haven't the resources to investigate them as you mentioned. We do attempt to get information from Facebook and others when we can, but usually the victim is satisfied with safety tips and some kind words. And, a phone call from the po-po is very often sufficient to get the offender to knock it off. Proving that the suspect actually made the entry can be extremely difficult, to the point of near impossible without a huge amount of effort, so trying to stop it is much more cost effective than investigating.
 
I refer to the terms of service only for common language about protecting passwords. Many sites have it, but not all.
I'm just not convinced that using/guessing a password on a social networking site is "unauthorized access" as intended in the law. I believe that sort of unauthorized access has more to do with circumvention of security features that would gain access to the servers themselves and the overall function of the service, not just a person's particular page.

If these laws do apply, they sure aren't written clearly enough to try and apply them in these scenarios.
 
mightymoose said:
I refer to the terms of service only for common language about protecting passwords. Many sites have it, but not all.
I'm just not convinced that using/guessing a password on a social networking site is "unauthorized access" as intended in the law.
Click to expand...
I've been part of prosecutions for it, so at least the courts do. Proving the access can be tough, but there are sections that apply for unlawful access, modification, etc. Most of these have come into place only in the last few years. Merely unauthorized access to a social networking site can be a crime here.

I believe that sort of unauthorized access has more to do with circumvention of security features that would gain access to the servers themselves and the overall function of the service, not just a person's particular page.
Click to expand...
That's one crime. There could be others.

If these laws do apply, they sure aren't written clearly enough to try and apply them in these scenarios.
Click to expand...
But, I suspect that those statutes exist in PA as they do here. If there was a desire and the resources, I suspect they would be able to pursue it.
 
In the cases you have been involved in, was it simply regarding access by using/guessing a password, or was access gained by other means? Was there some kind of theft or use of the data after gaining access? Also, was it done by accessing someone else's personal computer, or from a remote location?

Just curious...
 
There was always more than just utilizing a password to access an account. But, theft was not always a necessary element. Usually they dealt with ongoing harassment and access was gained from another computer and not the person's own computer. Proving access by the suspect tends to be difficult.

Unfortunately, we lack the resources to investigate most of these so we really have to deal only with those that leap out at us. We have turned a few over to other agencies or the DOJ, but they have dollar value thresholds (for theft or damage) or require some serious and credible threat. These offenses are under prosecuted as a result.

So, while a crime might exist, they seem to be rarely prosecuted for offenses like this one. The best way to handle them is to take additional actions to secure one's own computer and sites accessed.
 
Thanks guys for attempting to sort this out.

I'll try to clarify a few points for you- I'm really interested in your thoughts on this!

1) All I know for sure is that he accessed both the email and facebook accounts and my password was changed (multiple times on the email account). He may have been able to do this by resetting my security questions? But I have no real idea or proof of how he did it.
2) Personal information in my email account could have been obtained- I have not seen the effects of it being used yet, but keep in mind that this just happened within the past two weeks or so.
3) The posts he posted and the security questions he reset certainly indicate it was him. However there was no admission directly. He did email a mutual acquaintance and revealed private information only known to he and I. That is the reason I am set on saying it was him. Could it be some great conspirancy toward him? Sure I guess...but highly unlikely.
4) I did report it to the state police and was told that they will forward it on to their computer crimes unit.

This guy has been out of the household and has been a thorn in my side. Quite frankly I am sick of it. He needs to move on with his life and I am willing to pursue this in any way possible, including as a civil suit if necessary. I want to send him a message that I won't tolerate his BS anymore.

That being said, a computer crimes unit detective pointed me to these two PA statutes:

Unlawful use of computer and other computer crimes - 18 Pa. Cons. Stat. § 7611
Legal Research Home > Pennsylvania Statutes



SUBCHAPTER B
HACKING AND SIMILAR OFFENSES

Cross References. Subchapter B is referred to in sections
7605, 7606 of this title.

Sec.
7611. Unlawful use of computer and other computer crimes.
7612. Disruption of service.
7613. Computer theft.
7614. Unlawful duplication.
7615. Computer trespass.
7616. Distribution of computer virus.
§ 7611. Unlawful use of computer and other computer crimes.
(a) Offense defined.--A person commits the offense of
unlawful use of a computer if he:
(1) accesses or exceeds authorization to access, alters,
damages or destroys any computer, computer system, computer
network, computer software, computer program, computer
database, World Wide Web site or telecommunication device or
any part thereof with the intent to interrupt the normal
functioning of a person or to devise or execute any scheme or
artifice to defraud or deceive or control property or
services by means of false or fraudulent pretenses,
representations or promises;
(2) intentionally and without authorization accesses or
exceeds authorization to access, alters, interferes with the
operation of, damages or destroys any computer, computer
system, computer network, computer software, computer
program, computer database, World Wide Web site or
telecommunication device or any part thereof; or
(3) intentionally or knowingly and without authorization
gives or publishes a password, identifying code, personal
identification number or other confidential information about
a computer, computer system, computer network, computer
database, World Wide Web site or telecommunication device.
(b) Grading.--An offense under this section shall constitute
a felony of the third degree.
(c) Prosecution not prohibited.--Prosecution for an offense
under this section shall not prohibit prosecution under any
other section of this title.

Cross References. Section 7611 is referred to in section
7603 of this title.

§ 7612. Disruption of service. (a) Offense defined.--A person commits an offense if he intentionally or knowingly engages in a scheme or artifice, including, but not limited to, a denial of service attack upon any computer, computer system, computer network, computer software, computer program, computer server, computer database, World Wide Web site or telecommunication device or any part thereof that is designed to block, impede or deny the access of information or initiation or completion of any sale or transaction by users of that computer, computer system, computer network, computer software, computer program, computer server or database or any part thereof. (b) Grading.--An offense under this section shall constitute a felony of the third degree. Cross References. Section 7612 is referred to in section 7603 of this title.

I also hope to bring into play his other communications with me in the past and try to get cyber harrassment or cyber stalking added to the list.

Someone mentioned that I may be able to send a subpeona to Yahoo and Facebook myself thru the court system? If anyone can tell me more about that process, please do! I am willing to fund and drive this myself if necessary!!!!!

Thanks again!
 
Those were the sections I found, and I think those would be the relevant sections. But, resources being what they are, I would not expect even the state police to put a great deal of effort into the matter. They might try some cursory angles, and hope they can get consent to search from the ex, maybe even an admission from him. But, if he denies it, and was smart about his access (where and how) then they may not pursue it.

If you initiate some civil action against him you can seek a subpoena for records, but you will have to start some sort of court action.
 
7611(a)(1) seems the most appropriate here, but would depend on how those terms are all defined in the statute. For reasons already given, it is unlikely that this will ever be prosecuted due to lack of evidence. Short of some threat or theft, there is too much effort required for the investigation of something so petty.

I you want, you can try and get yourself a restraining order against him to compel him to stop making any kind of contact including this kind of harassment.
 
Looks good to me. Yes, you can get an information subpoena to request the information but that is tricky as is the process.

What you need is a "John Doe Subpoena" which is used to file a lawsuit against an unknown person and then obtain a subpoena as a plaintiff, pursuant to the lawsuit.

http://en.wikipedia.org/wiki/Doe_subpoena

"A Doe subpoena is a subpoena that seeks the identity of an unknown defendant to a lawsuit. Most jurisdictions permit a plaintiff who does not yet know a defendant's identity to file suit against John Doe and then use the tools of the discovery process to seek the defendant's true name. A Doe subpoena is often served on an online service provider or ISP for the purpose of identifying the author of an anonymous post."

TWO STEP PROCESS:

1) Plaintiff files a lawsuit, issues a subpoena to the hosting website requesting the IP address of the poster. (Note that many websites and online companies may not store IP Address information for long periods of time and, perhaps, not at all.)

2) The plaintiff must then subpoena the ISP that owns the address for the identify of the person who was using that IP Address.

A defendant who is notified by the ISP of the service of a Doe Subpoena and may file a motion to quash, asking the court to block the subpoena and prevent the ISP from responding.
 
Status
Not open for further replies.

Share this page

Get a free case review from a lawyer
Back
Top