Monday, October 20, 2008

Aiding & Abetting Unauthorized Access

About a month ago, I did a post on aiding and abetting the crime of exceeding authorized access to a computer.

As I noted there, the exceeding authorized access crime is necessarily committed by an “insider,” somehow who has authorization to access part of a computer system but intentionally goes beyond the scope of their legitimate access. This post is about a related issue: aiding and abetting the crime of gaining unauthorized access to a computer.

The case we’re going to use to analyze this crime is U.S. v. Willis, 476 F.3d 1121
(10th Circuit Court of Appeals 2007). Here are the facts in the case:
[Todd] Willis was employed by Credit Collections, Inc., . . . [a] debt collection agency. To obtain information . . . for debt collection, the agency utilized a . . . website called -- owned by LexisNexis. The information . . . on includes the names, addresses, social security numbers, dates of birth, telephone numbers, and other data of many individuals. . . . [T]o access information on, customers must contract with LexisNexis and obtain a username and password. . . . Willis assigned to employees usernames and passwords to access Employees were not authorized to obtain information from for personal use. Willis deactivated the usernames and passwords of employees who no longer worked for the company.

While investigating . . . Michelle Fischer and Jacob Wilfong for identity theft, police officers found pages . . . from with identifying information for many people. The information . . . was used to make false identity documents, open instant store credit at various retailers, and use the store credit to purchase goods that were sold for cash. A subpoena to revealed that the information had been obtained through the user name `Amanda Diaz,’ which was assigned to Credit Collections, Inc. Secret Service agents twice interviewed Willis about the identity theft. During the first interview, Willis insisted the username and password assigned to Amanda Diaz had been deactivated and there was no way to determine who had accessed the website. During the second interview, . . . Willis admitted he had given a username and password to his drug dealer in exchange for methamphetamine. . . . [H]e met Fischer through his drug dealer and began providing to her individuals' information he obtained through After Fischer continued to ask . . . information, he gave her the Amanda Diaz username and password so she could access herself. . . . [When she] was having trouble accessing the site, Willis helped her to log on and . . . showed her how to obtain access to individuals' addresses, social security numbers, dates of birth, etc. . . . Fischer said she would `take care of [him] later.’ She later gave him a silver Seiko watch. When Willis learned through a newspaper article that Ms. Fischer had been arrested for identity theft, he deactivated the username and password.
U.S. v. Willis, supra.

Willis was indicted on 1 count of aiding and abetting unauthorized access to a computer in violation of 18 U.S.Code 1030(a)(2)(C) and convicted, He appealed, arguing that the prosecution had not proved he knowingly, and with the intent to defraud, aided another in obtaining unauthorized access to a computer. U.S. v. Willis, supra.

Willis argued that the person who aids and abets must have the intent to defraud in so doing. U.S. v. Willis, supra. He claimed there was no proof he knew Fischer would use the information she obtained from to commit identity theft; he said the evidence presented at trial only showed that he thought he was helping her obtain information on people who owed her money. U.S. v. Willis, supra.

The Circuit Court of Appeals disagreed. It began by noted that to be convicted of aiding and abetting, a defendant must share the intent to commit the underlying offense. U.S. v. Willis, supra. To be convicted of the underlying offense -- 18 U.S. Code § 1030(a)(2)(C) -- a defendant must “intentionally access[ ] a computer without authorization . . . and thereby obtain . . . information”. U.S. v. Willis, supra. The court held that § 1030(a)(2)(C) does not require proof of intent to defraud; it only requires proof that the defendant intentionally accessed a computer without authorization and obtained information.

Willis based his argument on the premise that “intent to defraud is an element of § 1030(a)(2)(C) because it is . . . an element under § 1030(a)(4).” U.S. v. Willis, supra. Section 1030(a)(4) makes it a federal crime to “knowingly and with intent to defraud” access a computer “and by means of such conduct further the intended fraud and obtains anything of value”. The Court of Appeals began its analysis of the issue by noting that a plain reading of the statute shows that
the requisite intent to prove a violation of § 1030(a)(2)(C) is not an intent to defraud (as it is under (a)(4)), it is the intent to obtain unauthorized access of a . . . computer. . . . [T]o prove a violation of (a)(2)(C), the Government must show that the defendant: (1) intentionally accessed a computer, (2) without authorization (or exceeded authorized access), (3) and thereby obtained information from any protected computer if the conduct involved an interstate or foreign communication. The government need not also prove that the defendant had the intent to defraud in obtaining the information or that the information was used to any particular ends.
U.S. v. Willis, supra.

The court also rejected Willis’ argument that § 1030(a)(2)(C) “is the general provision of the statute” and § 1030(a)(4) “is the specific provision of the statute. That is, he argues, subsection (a)(4) sets out the specific elements required to prove a violation of subsection (a)(2)(C), and his conduct should be judged under subsection (a)(4), requiring an intent to defraud.” U.S. v. Willis, supra. The Court of Appeals didn’t buy this argument, either:
[O]ther courts have explained that each subsection of § 1030 addresses a different type of harm. . . . For example, subsection (a)(2)(C) requires that a person intentionally access a computer without authorization and thereby obtain information, whereas subsection (a)(5)(C) requires that a person intentionally access a computer without authorization and thereby cause damage. . . . Similarly, subsection (a)(4) has different elements than subsection (a)(2)(C). In addition to requiring that a person act with the specific intent to defraud, a violation of (a)(4) also differs from (a)(2)(C) in that a person can violate the former by obtaining `anything of value’ by the unauthorized access, whereas, as noted above, a person violates (a)(2)(C) by obtaining `information.’
Willis does not contest that he provided Fischer unauthorized access to He merely argues that he had no intent to defraud in so. . . . As the foregoing discussion demonstrates, such proof is not required to establish a violation of § 1030(a)(2)(C). Accordingly, his sufficiency of the evidence argument fails.
U.S. v. Willis, supra.

No comments: