Cybersecurity: Crime and Espionage
Swatting: From Fake 911 Call to SWAT Team Raid
On Dec. 29, 2017, police officers surrounded 28-year-old Andrew Finch’s house in Wichita, Kansas, in response to a 911 call. After being asked to come to the door with his hands up, Finch opened the door, allegedly failing to keep his arms raised. Seconds later, a police officer fatally shot him, apparently fearful that Finch was drawing a gun.
Finch had done nothing wrong. So what provoked the chain of events that led to his death? Beginning in a fake emergency call and ending with deployment of law enforcement to an unsuspecting victim’s house, this phenomenon is known as “swatting.”
The “Swatting” Phenomenon
The FBI defines “swatting” as the act of “calling 9-1-1 and faking an emergency that draws a response from law enforcement—usually a SWAT team.” Swatting is accomplished through a number of different techniques, including caller ID spoofing (concealing a caller’s identity through causing a telephone network to indicate a false origination location for a phone call), teletypewriter relay technologies (concealing identity through the use of a text-to-speech service), and social engineering.
Andrew Finch’s case began with an alleged dispute between Shane Gaskill and Casey Viner, both players of the online game Call of Duty: World War II. According to the government, Gaskill, a Wichita resident, accidentally killed Viner’s character. When Viner threatened via Twitter to “swat” Gaskill in retaliation, Gaskill allegedly dared Viner to try, tweeting the address “1033 W. McCormick” in Wichita. Although Gaskill used to live at that address, he and his family had been evicted in 2016. The house instead belonged to Finch, who was in no way involved with the game.
Angered that Gaskill didn’t think he would actually follow through, the government alleges, Viner called his friend Tyler Barriss, who had engineered swatting hoaxes before. Barriss allegedly then called 911, telling dispatchers that he had shot his father; was holding his mother and siblings hostage; and had poured gasoline all over the house and might set it on fire. Wichita police converged on the identified house and began the confrontation that resulted in Finch’s death. According to Wichita Police Chief Gordon Ramsay, the department has no policy or specific training on “swatting.”
History of Swatting
The first documented case of swatting appears to have occured in 2004, when a 14-year-old boy swatted a girl and her father after the girl refused to have sex with him. In recent years, celebrity incidents have dominated swatting headlines. In California alone, celebrity swatting victims have included comedian Russell Brand, actor Tom Cruise, singers Rihanna and Miley Cyrus, and TV personality Kim Kardashian.
Swatting not only evokes a significant law enforcement response—and therefore wastes public funds—but can also result in confrontation of unsuspecting victims at gunpoint. According to Kevin Kolbye, assistant special-agent-in-charge of the FBI’s Dallas Division, during SWAT team raids, officers “are in a heightened state, the safety’s off and their finger is close to the trigger.” It is this heightened alertness, combined with a lack of training around “swatting,” that likely contributed to the death of Andrew Finch.
Legal Implications of Swatting
Though there is no federal anti-swatting law, the government has prosecuted alleged “swatters” on charges including: obstruction of justice (via destruction of evidence: 18 U.S.C. § 1512; via retaliation: 18 U.S.C. § 1513), access device fraud (18 U.S.C. § 1029), interstate threats or extortion (18 U.S.C. § 875), computer misuse (18 U.S.C. § 1030), and the malicious conveying of false information (likely 18 U.S.C. § 2292). To date, the only federal law specifically outlawing the malicious use of technology for swatting is the Truth in Caller ID Act of 2009 (TICIDA), which makes it “unlawful for any person… to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value.”
Barriss’s case is proceeding on the state rather than federal level: he has been charged by the State of Kansas with involuntary manslaughter, giving a false alarm and interference with law enforcement, and is scheduled to appear in Sedgwick County District Court for a preliminary hearing on Mar. 29. If convicted of involuntary manslaughter, a Level Five felony in Kansas, Barriss faces an 11-year sentence. Neither Viner nor Gaskill appear to have been charged. (Material from the criminal complaint against Barriss can be found here and here.)
On Jan. 22, Andrew Finch’s family filed a lawsuit in the U.S. District Court for the District of Kansas for use of excessive force, unconstitutional seizure and a “Monell Claim” (or a claim that the defendant officers’ misconduct was part and parcel of a widespread municipal policy) under 42 U.S.C. § 1983. The claimants pray for damages in excess of $75,000. Their lawsuit could serve as a model in federal court for families of other swatting victims.
Based on the publicly available record, very few swatting cases appear to have been prosecuted on the federal level relative to the number of incidents reported in the press. It may be that physical injury as a result of swatting is uncommon, so prosecution is not a priority; that swatting incidents tend not to be reported to law enforcement; or that cases tend to be prosecuted at the state level, as Barriss’s case is. Below is a review of the few swatting cases that resulted in federal criminal charges.
In 2007 and 2008, five people pleaded guilty to conspiracy charges related to a large-scale swatting incident that involved more than one hundred “SWAT” calls. According to the court, the swatting conspiracy involved more than one hundred victims, up to $250,000 in losses, and disruption of services for telecommunications providers and emergency responders. Per documents filed in one of the cases, from at least 2004, the defendants participated in a telephone chat group and agreed to harass chat group members and their families via swatting. The three lead defendants in the swatting conspiracy, Stuart Rosoff, Jason Trowbridge, and Chad Ward, were charged with one count of conspiracy (18 U.S.C. § 371) to violate four criminal statutes: using access devices to modify telecommunications instruments; making unauthorized access to protected telecommunications computers; exceeding authorized access to protected computers; and transmitting threats in interstate commerce with intent to extort (18 U.S.C. §§ 1029(a)(9); 1030(a)(5)(A)(ii) and B(iv); 1030(a)(2)(A); 875(d)). Ultimately, the ringleaders were sentenced to sixty months in prison each.
In 2014, in an extension of the same conspiracy for which Rosoff, Trowbridge and Ward were charged, Jason Neff pleaded guilty to federal charges. Along with the previously charged co-conspirators, Neff was a member of, and participated in, telephone party line chat groups in which he made, and facilitated the making of, swatting calls. In addition to being charged with conspiracy to use access devices to modify telecommunications instruments and to make unauthorized access to protected telecommunications computers (violation of 18 U.S.C. § 371 (18 U.S.C. §§ 1029(a)(9); 1030(a)(5)(A)(ii) and B(iv); 1030(a)(2)(A); 875(d))), Neff was also charged with obstruction: retaliation (violation of 18 U.S.C. § 1513(b)(2)). Neff was ultimately sentenced to five years in prison.
Another example of a federal swatting prosecution is the 2014 arrest and 2015 imprisonment of Connecticut man, Matthew Tollis. Tollis waived his right to an indictment and pleaded guilty to conspiring to engage in the malicious conveying of false information, namely a bomb threat hoax. Although the Justice Department press release does not contain the name of the statute that Tollis violated, the department’s description of Tollis’s having “pleaded guilty to conspiring to engage in the malicious conveying of false information” matches 18 U.S.C. § 2292, “imparting or conveying false information.” Neither the above Trowbridge, nor Neff, cases included such a statutory violation, though the statute arguably also applied in both cases. Tollis was sentenced to twelve months and one day of imprisonment, followed by three years of supervised release and 300 hours of community service.
After Andrew Finch’s death in Wichita, the Kansas House of Representatives introduced legislation that would tailor the existing state crime of “giving a false alarm” to law enforcement to better reflect swatting, and would increase the penalty as well. The Kansas House approved the bill on Feb. 22, and the Kansas Senate hearing is scheduled for Mar. 13. As of Mar. 8, U.S. Rep. Ron Estes of Kansas announced the introduction of the Preventing Swatting and Protecting Our Communities bill (the “Andrew Finch Memorial Act”) to the U.S. House of Representatives. This bill promises to impose stricter penalties on swatting, including up to 20 years in prison if the victim is seriously hurt.
But Estes’s bill is not the only recent federal legislation proposed to help combat the issue of swatting. Last year, Massachusetts Rep. Katherine Clark proposed legislation that would both outlaw internet harassment-based crimes like swatting and devote $20 million in grants for training state and local law enforcement, along with $4 million to establish a National Resource Center on Cybercrimes Against Individuals. Clark, a Democrat, cosponsored the bill with Republican Reps. Susan Brooks and Patrick Meehan. The Online Safety Modernization Act remains before the House Subcommittee on Crime, Terrorism, Homeland Security and Investigations.
Even so, the bill is not Congress’s first examination of the issue of swatting; it is not even Katherine Clark’s first attempt at sponsoring anti-swatting legislation. Since 2009, five other swatting or swatting-related bills have been introduced into Congress. These bills include:
- S. 30 (TICIDA)
- H.R. 3670 (Anti-Spoofing Act of 2014)
- H.R. 2031 (Anti-Swatting Act of 2015)
- H.R. 4057 (Interstate Swatting Hoax Act, co-sponsored by Katherine Clark)
- H.R. 2669 (Anti-Spoofing Act of 2016).
Of those bills, only one—TICIDA—actually passed both chambers, becoming Public Law 111-331 on December 22, 2010.
Yet a review of the case law suggests that seemingly none of the federal swatting prosecutions have utilized TICIDA. Perhaps, as Alicia Hatifled points out, prosecutors do not generally use TICIDA to prosecute swatting cases involving spoofing because “[c]ommitting fraud is generally illegal under many federal statutes that carry longer maximum fines than the TICIDA.” Instead, swatting involving spoofing is often prosecuted under statutes like 18 U.S.C. § 1029. The Wire Fraud Act could also be used, as some secondary sources point out, though it is unclear whether any cases have actually been prosecuted under that theory.
Online Safety Modernization Act of 2017
Katherine Clark’s Online Safety Modernization Act of 2017 proposes, among other things, amending Chapter 47 of Title 18 of the U.S. Code by adding § 1041, “False communications to cause an emergency response.” § 1041 would create both civil and criminal causes of action, specifically making it a crime to “use the mail or any facility or means of interstate or foreign commerce to knowingly transmit false or misleading information that would reasonably be expected to cause an emergency response.” Penalties for the criminal violation range from a fine to imprisonment for life if a death results. H.R. 3067 also includes a provision on reimbursement to any party that provides fire or rescue service incurring expense, subsequent to the false communication.
Of the federal prosecutions for swatting identified above, none have resulted in a sentence of more than five years. With the increased sentencing contained within the Online Safety Modernization Act of 2017, it is possible that some would-be criminal swatters will be deterred from such action by the possibility of lengthy incarceration. In addition, swatters would be putting themselves at risk of punishments of uncertain severity: the sentencing regime implemented by the statute is delineated by the negative effects of the swatting incident, which is out of the hands of the defendant and contingent on the response level (and mistakes) of law enforcement to the swatting call. Currently, sentencing is determined by the type of technology that the defendant uses or the type of harassment the defendant has perpetrated, so determined swatters have more control over the extent of their legal jeopardy— though swatters still risk unexpected manslaughter charges if the victim is killed during the incident.
In swatting prosecutions to date, statutes used are an imperfect fit for the crimes committed, and, with low sentencing structures, seem to do little to deter the crime. Because the Online Safety Modernization Act of 2017 provides a specific swatting cause of action and criminal sentencing including imprisonment of between five years and life—depending on whether the emergency response has led to injury or death—if enacted, the statute could potentially lead to an increase in swatting prosecutions and a reduction in the practice of swatting.
A review of the congressional history of related bills suggests that Congress is of a similar view, but has not yet agreed upon a singular way to criminalize swatting. In most of the previous swatting or swatting-related bills, Congress attempted to amend the Communications Act of 1934, not Title 18 of the criminal code, as here. In 2015, when Congress did try to directly amend the criminal code by way of the Interstate Swatting Hoax Act, swatting was the bill’s only focus. Perhaps the Online Safety Modernization Act—which addresses swatting along with doxxing and sextortion—will be more successful.