UNITED STATES DISTRICT COURT
WESTERN DISTRICT OF WASHINGTON
AT SEATTLE
UNITED STATES OF AMERICA,
Plaintiff,
v.
ROBERT ALAN SOLOWAY, and
NEWPORT INTERNET MARKETING,
Defendants.
GOVERNMENT’S RESPONSE IN OPPOSITION TO MOTION TO DISMISS AGGRAVATED IDENTITY THEFT COUNTS
The United States of America, by and through Jeffrey C. Sullivan, United States Attorney for the Western District of Washington, and Kathryn A. Warma, Assistant United States Attorney for said District, files this Response in Opposition to the Defendant’s Motion to Dismiss Counts 19 - 25 of the Second Superseding Indictment.
I. Introduction
Defendant Robert Soloway (“Soloway”) argues in his Motion to Dismiss that the seven counts of Aggravated Identity Theft charged against him should be dismissed outright because: 1) the defendant’s conduct “was not aggravated in the sense that it was not the type of conduct for which the statute intended enhanced penalties to apply,” and 2) the identity theft conduct charged in counts 19-25 “is already covered” in Count 18 (alleging Fraud in Connection with Electronic Mail, in violation of 18 U.S.C. §1037(a)(3)). Motion to Dismiss, at pp. 4, 7. As will be demonstrated below, defendant’s assertions are meritless. The motion relying upon them should be denied.
-2-
II. The Statute
The “Aggravated Identity Theft” statute provides, in pertinent part:
§ 1028A. Aggravated identity theft
(a) Offenses.-
(1) In general. - Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
. . . .
(c) Definition. - For purposes of this section, the term “ felony violation enumerated in subsection (c)” means any offense that is a felony violation of -
. . .
(4) any provision contained in this chapter (relating to fraud and false statements), other than this section or section 1028(a)(7);
(5) any provision contained in chapter 63 (relating to mail, bank, and wire fraud). . .
[1 Section 1037 is contained in the “chapter” (Chapter 47, Title 18, United States Code) referenced in subsection (c)(4).]
The statute thus clearly provides that a perpetrator of any number of federal felonies - specifically including §1037, (“fraud in connection with electronic mail,” 1) as well as mail and wire fraud - is criminally responsible for the additional crime of aggravated identity theft if, “during and in relation to” those other crimes, he or she also “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person.”
The term “means of identification” is in turn defined for purposes of 18 U.S.C. §1028A, in 18 U.S.C. §1028(d)(7) as, “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual . . .” The statute goes on to identify, by way of example and not of limitation, an expansive list of possible identifiers that includes, inter alia: name, “unique electronic identification number, address, or routing code,” and “ telecommunication identifying information.”
III. Argument
A. Soloway Knowingly, Willfully, and Repeatedly Engaged in Egregious Acts of Identity Theft that Fall Squarely within the Terms of the Aggravated Identity Theft Statute
-3-
From November 2003, until his arrest in May of 2007,2 Robert Soloway devised and executed a multi-faceted criminal scheme that generated over a $1,000,000 in proceeds. The scheme can be summarized as follows:
[2 Evidence exists to show that Soloway had run the same scheme, likely for years, in California and Oregon before moving to Washington in 2003.
Soloway created and published a series of Internet websites on which he touted his “low cost,” but purported high return “distribution email” advertising product and service; i.e., Soloway was offering to sell a software product that would enable the customer to send out their own high volume e-mail ads, or to send out “distribution email” ads on behalf of the customer. Soloway, however, made numerous material false and fraudulent representations on these various websites - most notably including the purported “opt-in” character of the e-mail addresses used in the “distribution email” product and service, but also regarding the availability of customer support and payment of “ full 100%” refunds, “no questions asked,” to product customers.3
[3 Because Soloway executed his scheme to defraud by way of interstate wire communications (in publishing the websites) and by sending materials (the “product” he promoted and sold) through the mails and commercial interstate carriers, he has been charged with both wire and mail fraud (Counts 1-16, Second Superseding Indictment).]
Soloway promoted and advertised his websites - and thus his scheme - by indiscriminately blasting the Internet and e-mail users world-wide with hundreds of millions - likely even billions - of “spammed” e-mail commercial messages. These spammed messages were transmitted in violation of two separate subsections of the “CANSPAM Act,” as codified at 18 U.S.C. §1037, because Soloway routinely used “proxy” computers to relay his spam, (§1037(a)(2)), and also routinely materially falsified header information (§1037(a)(3)). As the Court will hear at trial, these two techniques are common “spammer” tools which, if used in combination, effectively mask the two primary and most obvious means of identifying the source of a spammed e-mail message.4
[4 The use of “proxy” relays to transmit e-mail conceals the identifying Internet Protocol (“IP”) address of the true originating computer, and the falsification of the “from” field in headers conceals the text-based name of the message “sender”.]
-4-
Soloway went beyond these “basic” spammer ruses, however, by choosing to engage in substantially more aggressive tactics involving the theft and unauthorized use of e-mail addresses and domain names that had been purchased and were owned by actual people, who were individually identifiable therefrom. As explained more fully below, and as will be proved at trial, these individuals suffered harm financially, as well as to their names and reputations, as a direct result of Soloway’s knowing, intentional, and repeated theft of their identities in furtherance of his mail and wire fraud scheme, and in relation to his felony “CANSPAM” Act violations.
“Spamming 101"
In order to best understand the significance of Soloway’s identity theft crimes, it is useful first to review some spamming “ basics.”5
[5 The government will present an expert witness at trial who will provide testimony on these and other aspects of “spam,” including what it is, how it’s distributed, how spammers profit, and the damages it causes and financial costs it creates for everyone who uses the Internet, but particularly for small Internet businesses and Internet Service Providers (“ISPs” ). See also: Fighting Spam for Dummies, J. Levine, M. Levine Young, and R. Everett-Church, Wiley Publishing, 2004; and Canning Spam, J. Poteet, Sams Publishing, 2004]
Unlike telemarketers or junk mailers, spammers can almost instantaneously6 “blast” their commercial advertisements at a barely perceptible financial cost to virtually hundreds of millions of recipients, world-wide. Also, unlike telemarketers or junk mailers, the costs of doing so do not measurably increase with an increase in the volume of the target audience. Consequently, spammers routinely seek to maximize their “mailing lists,” based on the assumption that the chances of a financial return (often from the “sale” of something fraudulent) will increase proportionately with the size of the receiving audience. The spammers themselves typically incur no additional costs for spamming ever more addresses - even if many of the e-mail addresses are bogus or invalid and therefore “bounce back” when they can not be delivered as addressed. Creating ever larger e-mail address lists (either for their own use or for sale,) is therefore a constant goal of spammers.
[6 Indeed, the speed and immediacy of spam has made it a favored technique for natural disaster and “catastrophe” fraud.]
-5-
One method of creating and “bulking up” e-mail address lists is through “dictionary attacks.” This typically involves the use of a computer program to generate long lists of possible names that are then appended to a known - or even a similarly generated - domain name. For example, a series of generated names (Alice, Ann, Amy), could be attached with the “@” symbol to the domain name: “usdoj.gov.” Spammed messages could then be blasted to every one of those computer generated email addresses in the hope that one or more would by chance be valid. An example of a “dictionary attack” list is appended as Attachment A.7
[7 This particular list was contained on one of the “product” CDs that was advertised and sold by Soloway from his website. Although Soloway represented (fraudulently) that the product he sold contained valid and “opt-in” e-mail addresses, the (defense contracting company) that owns the domain name, “amiinter.com” has confirmed that these 400 email addresses built on the domain name “amiinter.com” are neither valid nor “opt-in.”]
Another method of obtaining e-mail addresses and domain names is through “address harvesting.” Address harvesting has also become “ automated” with the use of computer programs designed to “ crawl” the Internet, visit websites and databases that might contain e-mail addresses or domain names, and compile those for the “harvester.” Address harvesting has the advantage of yielding lists of addresses and domain names that may well be valid, insofar as they were surreptitiously stolen, without permission, from active website or databases. The existence of these harvested addresses or domain names does not, however, in any way signify permission by the owners of the same to be included on spam address lists for which they have never, in any sense, “opted in.” Evidence will be presented at trial to prove that Soloway was using “harvested addresses,” in addition to “dictionary attacks” for his illegal spam.
Regardless of whether a spammer gets address lists from dictionary attacks, address harvesting, or (as in Soloway’s case), from a combination of both, the addresses on those lists need only be inserted (again, via an automated program) into the “ to” field in a spam “header” in order to blast the spam messages off, in bulk, to those separate addresses. In order to conceal his/her identity as the “sender,” the spammer can then manipulate or forge the “from” field in the header either to contain a
-6-
false, fabricated, or non-existent name, or even to be blank. Spammers can, and most often also “rotate” a variety of false and fabricated names in the “from” header, as they continue to blast out repeated multiple versions of the same spam message - again, in an attempt to maximize the number of spam messages they send and hope will be received, without regard to the desires of, or impact on the target audience.
Anti-Spam Measures
Spam is universally regarded within the Internet community as a costly, invasive and deleterious “scourge.” It is commonly estimated that spam usurps 80% or more of Internet “bandwidth,” and costs Internet users billions of dollars annually. Some of those costs are spread among the universe of all Internet users; others are suffered in particular by ISPs and by small Internet-based businesses. Spam is also recognized as the “delivery mechanism” for pernicious fraud and “phishing” schemes, pornography, and a host of “malware” that includes viruses, worms, trojans, and spyware. The economic and societal costs of spam have driven law-making bodies world-wide to enact both civil and criminal “anti-spam” statutes. Reputable ISPs have uniformly adopted rigorous anti-spam policies that are incorporated into their terms of service. Subscribers who are identified to have violated an ISP’s anti-spam policies can and often have their accounts terminated, thereby ending their ability either to send or receive e-mail from that address. Anti-spam products and services have also been developed and made commercially available. These include a variety of “spam filtering” products and services, as well as “spam blacklists.”
Simply stated, spam filtering is designed to keep spam out of systems, networks and “in-boxes.” Filtering can be done with a variety of technical approaches and systems, and with a varying range of efficacy, and cost. None among these products or services is “perfect,” however. No filtering can stop all spam, and some can even result in “ false positives,” which means that legitimate e-mails, too, will be blocked.
Spam “blacklists” are developed by a variety of online organizations (some nonprofit, some commercial), based on data compiled from Internet traffic that is identified
-7-
as spam or spam-related. The blacklists are then used in conjunction with filtering products and services to exclude spam with those identifiers, and by ISPs to terminate accounts identified on the blacklists or to block incoming traffic from those accounts.
Soloway’s Knowing, Willful, and Repeated Acts of Identity Theft in Furtherance of Wire Fraud and CANSPAM Act Violations
Evidence at trial will establish that Soloway was keenly aware of anti-spam measures including filtering, and ISP anti-spam policies. Indeed, his repeated, knowing and willful use of legitimate e-mail addresses and domain names, including those paid for and belonging to identifiable individuals, without their permission and against their expressed will, was a tactic that he intentionally embraced and exploited, in the words of his own counsel, precisely “to circumvent . . . spam filter[s].”8 This particular tactic enables the spam sender to thwart spam filters because the e-mail recipient can not filter based on his/her own e-mail address - as to do so would effectively preclude any e-mail addressed to the recipient, from being received by the recipient.9 It is thus a means to force the owner of any given e-mail address either to continue receiving the spam, in perpetuity and in whatever volume it arrives - or to surrender that e-mail address or domain name. Surrendering an established e-mail address or domain name can be financially devastating to a small business that has built its reputation on it from its inception.
[8 Motion to Dismiss, at p. 2, line 18.
9 Some advanced filtering products or services can possibly defeat this tactic by relying on “scores” or factors independent of the “from” information. These products or services, however, are not necessarily available - or within the financial or technological reach - of all Internet users.]
Soloway thus proved himself a savy and aggressive spammer who deliberately tailored his spamming techniques to defeat protections put in place to defeat spamming, and who was absolutely indifferent to the consequences of his actions to his innocent victims. Soloway also was aware - but resolutely indifferent to - the fact that many of these victims often suffered yet again - when they were blacklisted as a result of his spamming activity because their legitimate and individually identifiable e-mail
-8-
addresses and domain names had been identified with spam that he - not them - had sent, and was responsible for.
All of the aggravated identity theft counts charged in this case involve victims whose experiences with Soloway shared common traits. 10 Most of the individuals (identified by their initials for purposes of the Indictment) began receiving spammed email messages, sometime during the period from 2005 until 2007, that contained advertisements for, and a link to Soloway’s (fraudulent) websites. As is typically the case with spam, these spammed messages came over, and over. And to the horror of each of these individuals, the messages included a header that identified the recipients themselves as the “sender” of spam that advertised a company they had never heard of and had nothing to do with. None of the recipients had “opted-in” to receive any such spammed advertisements, and none wished to be associated in any way with a company responsible for spam. Most of these individuals contacted Soloway repeatedly, and requested that he stop using their e-mail addresses and domain names in spam. Soloway ignored these requests, and continued to spam, using the e-mail addresses and domain names owned by these victim individuals, despite their voiced objections. In some cases the spam even increased. Several of these victims will testify further that they received either “bounce backs” to their addresses, indicating that Soloway had forged their addresses into the “from” header into spam he had sent to third parties, or complaints directly from third parties who blamed them for spam. And finally, several of these victims will testify that they subsequently were blacklisted by one or more ISPs or filtering services, because the e-mail address or domain name they owned - and that had been used by Soloway without their authority - had become identified as having an association with spam. Their individual reputations, and those of their businesses were compromised; they lost customers and the ability to do business on-line.
[10 The victims associated with counts 19 - 26 are but a representative sample of many more who were identified during the investigation as suffering like experiences.]
-9-
By way of illustration, additional details regarding two of these individual victims are
as follows:
Count 19: R.M. will testify that he had registered and purchased a domain name that consisted of his combined first and last name, followed by “.net” . Beginning in March of 2005, his wife (with a different name and who used an entirely different email account, ) began receiving spammed advertisements from several different companies. R.M’s wife had not opted-in to receive any such spammed advertisements. The header of these spams identified the “ sender” with one of a variation of names “at” the domain name owned and registered to R.M. R.M. had no association with any of these companies, nor had he authorized any one to use his personal, individually identifiable name for spamming. R.M. contacted two of these companies, and was told they had each hired Soloway, relying on his representations that he would send “broadcast emails” to “opt-in” e-mail lists on their behalf. Both companies complained that Soloway had defrauded them, and was instead spamming advertisements for their company to recipients who were not opt-in, and from whom they had received complaints. R.M. did some investigatory work of his own, and located a phone number for Soloway. He called the number to complain about the unauthorized use of his individually identifiable domain name - a domain name he had purchased and registered. The person answering the telephone hung up on him. R.M. called again and asked to speak to the owner or manager. The person answering the phone hung up on him again. 11 Spam with R.M. ’s individually identifiable domain name continued, causing R.M. to file a complaint with the FBI.
[11 Numerous victims have reported that Soloway - who was the sole owner/operator and employee of his company - routinely hung up if they telephoned to object or complain. Soloway would stay on the phone if the customer was placing an order for service or product.]
Count 20: T.C. will testify that in September, 2005, he began receiving spam at several domain names and e-mail addresses that he owned, including an “individually identifiable” e-mail address that consisted of his first and last name, at
-10-
“universalbyte.com”. The spam advertised, and contained links to Soloway’s websites. T.C. had never opted in to receive this spam, and was distressed to see that the headers were forged in a way to make it appear as though the spam had been sent by him, from his own e-mail addresses and domain names. T.C. received up to 200 such spams daily. T.C. also received “bounce backs” to his addresses and domain names, indicating to him that spam with his addresses forged into “from” header fields had been transmitted to others. T.C. used the “unsubscribe” tool on Soloway’s website, and also sent e-mail to the administrative contact identified in a WHOIS lookup of Soloway’s website to demand that the spam using his addresses be stopped. The spam from Soloway with T.C. ’s individually identifiable e-mail address forged into header “ from” fields continued. T.C. was forced to close his main e-mail address, which had been his primary work e-mail address. Domains owned by T.C. , the names of which Soloway had forged into “ from” headers in spam, were also blacklisted by AOL and Hotmail, forcing him to give up ownership of those domain names, as well.
The e-mail addresses and domain names of R.M, T.C. , and all of the other victims named in the aggravated identity theft counts either consist of, or contain their own individual names, or consist of a company name that is unique and either “alone, or in conjunction with . . . other information,” identifies a specific individual. They are thus “means of identification,” as that term is defined for purposes of 18 U.S.C. §1028A. They were “knowingly transferred, possessed or used” by Soloway, “without lawful authority” - forged by Soloway in the headers of spammed messages that were intended to further his wire/mail fraud scheme, and that were sent in violation of two separate provisions of 18 U. S.C. §1037. The victims themselves contacted Soloway to object and to direct him to stop the identity theft, thereby confirming the fact (and his
-11-
knowledge) that the identities he had stolen belonged to “actual people” who did, in fact, object to their theft and unauthorized use.12
[12 As noted by the Defense in their Motion to Dismiss, there is a split among courts as to the mens rea requirement of 18 U.S.C. §1028A, with this Court holding in United States v. Beachem, 399 F. Supp. 2d 1156, 1158 (U.S.D.C. W.D. WA. 2005) that “knowingly, ” as used in §1028A applies to “another person. ” That standard is met in this case, because Soloway was repeatedly notified by the identity theft victims themselves that he was using their identities without their authority, and must stop doing so. Soloway brazenly continued to use their stolen individually identifiable e-mail addresses and domain names even after these objections were made.]
Soloway’s knowing, intentional and repeated egregious acts of identity theft fall squarely within the terms of the Aggravated Identity Theft statue. To the extent that any factual disputes over these violations exist, they properly should be resolved by the jury at trial. United States v. Beachem, supra, at 1158.
B. The Egregious Acts of Identity Theft Committed Repeatedly by Soloway and NIM Constitute Offenses Separate and Distinct From What is Needed to Charge Violations of 18 U.S.C. § 1037(a)(3)
While not characterized as such, defendant’s argument that the aggravated identity counts are “covered” by the §1037(a)(3) count is essentially one that these counts are multiplicitous. An indictment is multiplicitous if “it charges multiple counts for a single offense, producing two penalties for one crime and thus raising double jeopardy questions.” United States v. Stewart, 420 F.3d 1007, 1012 (9th Cir. 2005). Counts within an indictment are not, however, multiplicitous if “ each separately violated statutory provision requires proof of an additional fact which the other does not.” Id.
[T]he test to be applied to determine whether there are two offenses or only one, is whether each provision requires proof of a fact which the other does not . . . A single act may be an offense against two statutes; and if each statute requires proof of an additional fact which the other does not, an acquittal or conviction under either statute does not exempt the defendant from prosecution and punishment under the other.
Blockburger v. United States, 284 U. S. 299, 404 (1932). “Congress has the power to establish that a single act constitutes more than one offense, at least as long as each offense requires proof of a fact the other does not.” United States v. Stearns, 550 F.2d 1167, 1172 (9th Cir. 1977); See also: United States v. Rude, 88 F.3d 1538 (9th Cir.
-12-
1996), (indictment using same wire transfers as basis for wire fraud and money laundering is not multiplicitous).
The crimes defined in sections 1028A(a)(1) and 1037(a)(3) of Title 18 are distinct offenses, requiring proof of different facts for conviction. Conviction under §1037(a)(3) requires proof that: 1) in, or affecting interstate commerce, 2) the defendant materially falsified header information, 3) in “multiple” commercial e-mail messages, and 4) that defendant intentionally initiated the transmission of those messages. Conviction under §1028A(a)(1) requires proof that: 1) during or in relation to one of the enumerated felonies, 2) the defendant knowingly transferred, possessed or used, without lawful authority, 3) a means of identification of another person. Proof of one of these offenses does not satisfy proof of the elements of the other.
They are not multiplicitous.
IV. Conclusion
Whereas a prosecutor “plays a strictly advisory role in sentencing decisions. . . [he or she] retains almost absolute discretion in charging decisions.” In re Morgan, 506 F.3d 705, 711 (9th Cir. 2007). “In our system, so long as the prosecutor has probable cause to believe that the accused committed an offense defined by statute, the decision whether or not to prosecute, and what charge to file . . . generally rests entirely in his discretion.” Bordenkircher v. Hayes, 434 U. S. 357 (1978).
Evidence well beyond the probable cause - even beyond the reasonable doubt - level, exists to support the §1037(a)(3), as well as the separate and distinct §1028A(a)(1) charges in this case. Defendant’s Motion to Dismiss Counts 19 - 25 should be denied.
DATED this 14th day of February, 2008.
Respectfully submitted,
JEFFREY C. SULLIVAN
United States Attorney
/s/ Kathryn A. Warma
Assistant U.S. Attorney