Course No.: 9200-710 (& 810)-001
Course ID: 85723 & 85725
Time: M, W 4:45-6:15 p.m.
|Professor Jay Dratler, Jr.||
Across from Room 231D (IP Alcove)
|Copyright © 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2008, 2010 Jay Dratler, Jr.|
|For permission, see CMI.|
United States v. Morris928 F.2d 504 (2d Cir. 1991)
Jon O. Newman and Winter, Circuit Judges, T. F. Gilroy Daly, District Judge.*
This appeal presents two narrow issues of statutory construction concerning a provision Congress recently adopted to strengthen protection against computer crimes. Section 2(d) of the Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030(a)(5)(A) (1988), punishes anyone who intentionally accesses without authorization a category of computers known as "federal interest computers" and damages or prevents authorized use of information in such computers, causing loss of $ 1,000 or more. The issues raised are (1) whether the Government must prove not only that the defendant intended to access a federal interest computer, but also that the defendant intended to prevent authorized use of the computer's information and thereby cause loss; and (2) what satisfies the statutory requirement of "access without authorization."
These questions are raised on an appeal by Robert Tappan Morris from the May 16, 1990, judgment of the District Court for the Northern District of New York (Howard G. Munson, Judge) convicting him, after a jury trial, of violating 18 U.S.C. § 1030(a)(5)(A). Morris released into INTERNET, a national computer network, a computer program known as a "worm"(1) that spread and multiplied, eventually causing computers at various educational institutions and military sites to "crash" or cease functioning.
We conclude that section 1030(a)(5)(A) does not require the Government to demonstrate that the defendant intentionally prevented authorized use and thereby caused loss. We also find that there was sufficient evidence for the jury to conclude that Morris acted "without authorization" within the meaning of section 1030(a)(5)(A). We therefore affirm.
In the fall of 1988, Morris was a first-year graduate student in Cornell University's computer science Ph.D. program. Through undergraduate work at Harvard and in various jobs he had acquired significant computer experience and expertise. When Morris entered Cornell, he was given an account on the computer at the Computer Science Division. This account gave him explicit authorization to use computers at Cornell. Morris engaged in various discussions with fellow graduate students about the security of computer networks and his ability to penetrate it.
In October 1988, Morris began work on a computer program, later known as the INTERNET "worm" or "virus." The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers. Morris designed the program to spread across a national network of computers after being inserted at one computer location connected to the network. Morris released the worm into INTERNET, which is a group of national networks that connect university, governmental, and military computers around the country. The network permits communication and transfer of information between computers on the network.
Morris sought to program the INTERNET worm to spread widely without drawing attention to itself. The worm was supposed to occupy little computer operation time, and thus not interfere with normal use of the computers. Morris programmed the worm to make it difficult to detect and read, so that other programmers would not be able to "kill" the worm easily. [*506]
Morris also wanted to ensure that the worm did not copy itself onto a computer that already had a copy. Multiple copies of the worm on a computer would make the worm easier to detect and would bog down the system and ultimately cause the computer to crash. Therefore, Morris designed the worm to "ask" each computer whether it already had a copy of the worm. If it responded "no," then the worm would copy onto the computer; if it responded "yes," the worm would not duplicate. However, Morris was concerned that other programmers could kill the worm by programming their own computers to falsely respond "yes" to the question. To circumvent this protection, Morris programmed the worm to duplicate itself every seventh time it received a "yes" response. As it turned out, Morris underestimated the number of times a computer would be asked the question, and his one-out-of-seven ratio resulted in far more copying than he had anticipated. The worm was also designed so that it would be killed when a computer was shut down, an event that typically occurs once every week or two. This would have prevented the worm from accumulating on one computer, had Morris correctly estimated the likely rate of reinfection.
Morris identified four ways in which the worm could break into computers on the network:
Morris was found guilty, following a jury trial, of violating 18 U.S.C. § 1030(a)(5)(A). He was sentenced to three years of probation, 400 hours of community service, a fine of $ 10,050, and the costs of his supervision.
Section 1030(a)(5)(A), covers anyone who
Morris argues that the Government had to prove not only that he intended the unauthorized access of a federal interest computer, but also that he intended to prevent others from using it, and thus cause a loss. The adverb "intentionally," he contends, modifies both verb phrases of the section. The Government urges that since punctuation sets the "accesses" phrase off from the subsequent "damages" phrase, the provision unambiguously shows that "intentionally" modifies only "accesses." Absent textual ambiguity, the Government asserts that recourse to legislative history is not appropriate.
With some statutes, punctuation has been relied upon to indicate that a phrase set off by commas is independent of the language that followed. See United States v. Ron Pair Enterprises, Inc., 489 U.S. 235, 241, 109 S.Ct. 1026, 103 L. Ed. 2d 290 (1989) (interpreting the Bankruptcy Code). However, we have been advised that punctuation is not necessarily decisive in construing statutes, see Costanzo v. Tillinghast, 287 U.S. 341, 344, 53 S.Ct. 152, 77 L.Ed. 350 (1932), and with many statutes, a mental state adverb adjacent to initial words has been applied to phrases or clauses appearing later in the statute without regard to the punctuation or structure of the statute. In the present case, we do not believe the comma after "authorization" renders the text so clear as to preclude review of the legislative history.
The first federal statute dealing with computer crimes was passed in 1984, Pub. L. No. 98-473 (codified at 18 U.S.C. § 1030)). The specific provision under which Morris was convicted was added in 1986, Pub. L. No. 99-474, along with some other changes. The 1986 amendments made several changes relevant to our analysis.
First, the 1986 amendments changed the scienter requirement in section 1030(a)(2) from "knowingly" to "intentionally." The subsection now covers anyone who
This use of a mens rea standard to make sure that inadvertent accessing was not covered is also emphasized in the Senate Report's discussion of section 1030(a)(3) and section 1030(a)(5), under which Morris was convicted. Both subsections were designed to target "outsiders," individuals without authorization to access any federal interest computer. The rationale for the mens rea requirement suggests that it modifies only the "accesses" phrase, which was the focus of Congress's concern in strengthening the scienter requirement.
The other relevant change in the 1986 amendments was the introduction of subsection (a)(5) to replace its earlier version, subsection (a)(3) of the 1984 act, 18 U.S.C. § 1030(a)(3). The predecessor subsection covered anyone who
The Government's argument that the scienter requirement in section 1030(a)(5)(A) applies only to the "accesses" phrase is premised primarily upon the difference between subsection (a)(5)(A) and its predecessor in the 1984 statute. The decision to state the scienter requirement only once in subsection (a)(5)(A), along with the decision to change it from "knowingly" to "intentionally," are claimed to evince a clear intent upon the part of Congress to apply the scienter requirement only to the "accesses" phrase, though making that requirement more difficult to satisfy. This reading would carry out the Congressional objective of protecting the individual who "inadvertently ‘stumble[s] into' someone else's computer file."[*509]
The Government also suggests that the fact that other subsections of section 1030 continue to repeat the scienter requirement before both phrases of a subsection is evidence that Congress selectively decided within the various subsections of section 1030 where the scienter requirement was and was not intended to apply. Morris responds with a plausible explanation as to why certain other provisions of section 1030 retain dual intent language. Those subsections use two different mens rea standards; therefore it is necessary to refer to the scienter requirement twice in the subsection. For example, section 1030(a)(1) covers anyone who
There is a problem, however, with applying Morris's explanation to section 1030(a)(5)(A). As noted earlier, the predecessor of subsection (a)(5)(A) explicitly placed the same mental state requirement before both the "accesses" phrase and the "damages" phrase. In relevant part, that predecessor in the 1984 statute covered anyone who "knowingly accesses a computer without authorization, . . . and by means of such conduct knowingly uses, modifies, destroys, or discloses information in, or prevents authorized use of, such computer. . . ." 18 U.S.C. § 1030(a)(3) (emphasis added). This earlier provision demonstrates that Congress has on occasion chosen to repeat the same scienter standard in the "accesses" phrase and the subsequent phrase of a subsection of the Computer Fraud Statute. More pertinently, it shows that the 1986 amendments adding subsection (a)(5)(A) placed the scienter requirement adjacent only to the "accesses" phrase in contrast to a predecessor provision that had placed the same standard before both that phrase and the subsequent phrase.
Despite some isolated language in the legislative history that arguably suggests a scienter component for the "damages" phrase of section 1030(a)(5)(A), the wording, structure, and purpose of the subsection, examined in comparison with its departure from the format of its predecessor provision persuade us that the "intentionally" standard applies only to the "accesses" phrase of section 1030(a)(5)(A), and not to its "damages" phrase.
Section 1030(a)(5)(A) penalizes the conduct of an individual who "intentionally accesses a Federal interest computer without authorization." Morris contends that his conduct constituted, at most, "exceeding authorized access" rather than the "unauthorized access" that the subsection punishes. Morris argues that there was insufficient evidence to convict him of "unauthorized access," and that even if the evidence sufficed, he was entitled to have the jury instructed on his "theory of defense."
We assess the sufficiency of the evidence under the traditional standard. Morris was authorized to use computers at Cornell, Harvard, and Berkeley, all of which were on INTERNET. As a result, Morris was authorized to communicate with other computers on the network to send electronic mail (SEND MAIL), and to find out certain information about the users of other computers [*510] (finger demon). The question is whether Morris's transmission of his worm constituted exceeding authorized access or accessing without authorization.
The Senate Report stated that section 1030(a)(5)(A), like the new section 1030(a)(3), would "be aimed at ‘outsiders,' i.e., those lacking authorization to access any Federal interest computer." But the Report also stated, in concluding its discussion on the scope of section 1030(a)(3), that it applies "where the offender is completely outside the Government, . . . or where the offender's act of trespass is interdepartmental in nature." (emphasis added).
Morris relies on the first quoted portion to argue that his actions can be characterized only as exceeding authorized access, since he had authorized access to a federal interest computer. However, the second quoted portion reveals that Congress was not drawing a bright line between those who have some access to any federal interest computer and those who have none. Congress contemplated that individuals with access to some federal interest computers would be subject to liability under the computer fraud provisions for gaining unauthorized access to other federal interest computers. See, e.g., id. (stating that a Labor Department employee who uses Labor's computers to access without authorization an FBI computer can be criminally prosecuted).
The evidence permitted the jury to conclude that Morris's use of the SEND MAIL and finger demon features constituted access without authorization. While a case might arise where the use of SEND MAIL or finger demon falls within a nebulous area in which the line between accessing without authorization and exceeding authorized access may not be clear, Morris's conduct here falls well within the area of unauthorized access. Morris did not use either of those features in any way related to their intended function. He did not send or read mail nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.
Moreover, the jury verdict need not be upheld solely on Morris's use of SEND MAIL and finger demon. As the District Court noted, in denying Morris' motion for acquittal,
To extricate himself from the consequence of conceding that he made "unauthorized access" within the meaning of subsection (a)(3), Morris subtly shifts his argument and contends that he is not within the reach of subsection (a)(5) at all. He argues that subsection (a)(5) covers only those who, unlike himself, lack access to any federal interest computer. It is true that a primary concern of Congress in drafting subsection (a)(5) was to reach those unauthorized to access any federal interest computer. The Senate Report stated, "This subsection [(a)(5)] will be aimed at ‘outsiders,' i.e., those lacking authorization to access any Federal interest computer." But the fact that the subsection is "aimed" at such "outsiders" does not mean that its coverage is limited to them. Congress understandably thought that the group most likely to damage federal interest computers would be those who lack authorization to use any of them. But it surely did not mean to insulate from liability the person authorized to use computers at the State Department who causes damage to computers at the Defense Department. Congress created the misdemeanor offense of subsection (a)(3) to punish intentional trespasses into computers for which one lacks authorized access; it added the felony offense of subsection (a)(5) to punish such a trespasser who also causes damage or loss in excess of $ 1,000, not only to computers of the United States but to any computer within the definition of federal interest computers. With both provisions, Congress was punishing those, like Morris, who, with access to some computers that enable them to communicate on a network linking other computers, gain access to other computers to which they lack authorization and either trespass, in violation of subsection (a)(3), or cause damage or loss of $ 1,000 or more, in violation of subsection (a)(5).
Morris also contends that the District Court should have instructed the jury on his theory that he was only exceeding authorized access. The District Court decided that it was unnecessary to provide the jury with a definition of "authorization." We agree. Since the word is of common usage, without any technical or ambiguous meaning, the Court was not obliged to instruct the jury on its meaning.
An instruction on "exceeding authorized access" would have risked misleading the jury into thinking that Morris could not be convicted if some of his conduct could be viewed as falling within this description. Yet, even if that phrase might have applied to some of his conduct, he could nonetheless be found liable for doing what the statute prohibited, gaining access where he was unauthorized and causing loss.
For the foregoing reasons, the judgment of the District Court is affirmed.
1. [court's footnote] In the colorful
argot of computers, a "worm" is a program that travels from one computer
to another but does not attach itself to the operating system of the computer
it "infects." It differs from a "virus," which is also a migrating
program, but one that attaches itself to the operating system of any computer
it enters and can infect any other computer that uses files from the infected
Back to Text