“Breach of Computer Security”

This post deals with a prosecution for “breach of computer security” in violation of Texas law.

Texas Penal Code § 33.02(a) defines the crime as follows: “A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.”

Sabina Muhammed was convicted of violating § 33.02(a) and sentenced to “180 days confinement in the Harris County Jail, probated for two years.” Muhammed v. State, __ S.W.3d __, 2011 WL 80741 (Texas Court of Appeals 2011). She appealed, arguing, in part, that the evidence presented at trial was not sufficient to support the conviction. Muhammed v. State, supra.

This is how the prosecution arose:

[Muhammed] and . . . Heber Saravia, an engineering student, both attended the University of Houston (`UH’). At the end of the spring 2004 semester, Saravia received an email in one of his UH accounts from an unknown Yahoo account, which contained his social security number. This was the beginning of a series of incidents involving Saravia's UH account. These included one incident in the fall of 2004, when Saravia discovered someone had hacked into his UH account, changed his password, and had deleted all of his engineering work stored there.

The incidents began to escalate in 2006 when Saravia started receiving emails inquiring about his personal life. One of these provided a hint as to who the sender might be: the email mentioned `their name started with an “S.”’ Another incident involved Saravia receiving a notice from the UH College of Business indicating he had requested to change his major. Saravia testified this was not correct as he was `in the middle of [his] engineering degree’ and was passing all of his classes. . . .

Saravia [also] noticed [Muhammed] waiting for him outside his classrooms, observing him at the Metro bus stop, and following him around the UH campus. [He] testified that [she] sent him a `friend request’ on Facebook. . . . [and] transcripts of other UH students were mailed to his home address. During the spring of 2007, the UH Police Department notified Saravia that someone had been using his e-mail address to conduct fraudulent activities. Saravia testified he never granted [Muhammed] permission to access his UH account or any of the information contained therein.

Muhammed v. State, supra. David Canales, “a UH alumnus,” also testified at Muhammed’s trial. He said he had encountered problems with his UH account

similar to those experienced by Saravia. Canales also testified that he had witnessed [Muhammed] following him around the UH campus as well. After Canales reported to the UH Police Department that someone had hacked into his UH account and made changes, Officer Russell Lyman of the UH Police Department began investigating.

Muhammed v. State, supra.

The UH information technology department provided Officer Lyman with IP addresses that were used to access the

UH students' information. Most of the IP addresses were located at UH, however one was located at Lone Star College (`LSC’). Lyman looked for a connection between the schools. He discovered that [Muhammed], a UH student, worked at LSC as a tutor and had access to the computers located on the LSC campus. Officer Lyman requested that the LSC police monitor [her] computer use.

Muhammed v. State, supra. Pervaiz Parker, “an LSC police officer,” also testified at Muhammed’s trial. Muhammed v. State, supra. He testified that he knew Muhammed

only worked at LSC on Saturdays. . . . [O]n Saturday, February 24, 2007, he spotted [her] in the LSC computer lab. Parker walked behind [Muhammed] while she was using one of the computers in the . . . lab. [He] noticed [she] was accessing the UH website. Parker saw the name `Vargas’ on [her] computer screen. . . .Vargas was one of the six names associated with UH accounts that had been improperly accessed. . . .

Officer Parker contacted an information technician at the LSC IT department, Wesley Parker. Officer Parker asked Mr. Parker to remotely monitor [Muhammed’s] computer. Mr. Parker proceeded to remotely access [her] computer and determined she was on the UH website.

Mr. Parker, and later his supervisor Celeste Burkards, captured images of the computer screens as [Muhammed] accessed various UH student accounts for approximately forty minutes. During this time period, [she] accessed Saravia's student account as well as the accounts of other UH students. After [she] finished browsing, she deleted her browsing history and cookies. The images of [her] activities captured by Mr. Parker and Ms. Burkards were printed, turned over to Officer Lyman, and admitted into evidence during [Muhammed’s] trial.

Muhammed v. State, supra.

At trial, Muhammed took the stand and “insisted that mismanagement of the UH computer accounts was responsible for the breach of security on Saravia’s UH account.” Muhammed v. State, supra. Muhammed maintained that she did not know Saravia and

had never noticed him on the UH campus. [She] testified she was always in class, at work, or at home studying, and therefore could not have been in the same places as Saravia. [She] testified to this effect even though Saravia had not testified as to specific dates and times when he had seen [her] following him. When asked about the State's screen captures, [Muhammed] did not recall seeing any of the screen images and implied that [they] had been fabricated as they appeared `copied and pasted.’

Muhammed v. State, supra. The jury apparently didn’t believe her because Muhammed was convicted, sentenced and then filed a motion for a new trial. Muhammed v. State, supra. The court held a hearing on her motion for a new trial, at which she called

Uche Okafor to testify [as] to the authenticity of the State's screen shots. Okafor . . . is the founder of Iseek4 Computer Consulting, . . . [which] deals with networking, database management, computer surveillance, software management, and other similar activities. He also testified that he had discovered discrepancies in the . . . screen shots. . . .

Okafor noted that several of the State's exhibits simultaneously displayed the alleged hacking from [Muhammed’s] remotely-accessed computer with the computer clock showing the date and time. [He] opined that when an individual accesses a remotely-accessed computer, such as the one used by [Muhammed], it is impossible for that person to `pull up the clock from the computer to show the time and date.’ Okafor insisted the UH system had `very good security policies’ where it was `impossible . . . that a student can access the [UH] e-mail account without being the actual student or knowing the user credentials.’

Muhammed v. State, supra.

Muhammed claimed Okafor’s testimony was “newly-discovered evidence” which entitled her to a new trial under Texas law. Muhammed v. State, supra. Under Texas Code of Criminal Procedure § 40.001, a “new trial shall be granted where material evidence favorable to the accused has been discovered since trial.” The trial judge in this case “pointed out that [Muhammed]] could have subpoenaed” Okafor to testify at trial, which meant that his testimony was not “newly-discovered evidence.” Muhammed v. State, supra. The judge therefore denied the motion for a new trial, which led to the appeal. Muhammed v. State, supra.

On appeal, as noted earlier, Muhammed claimed the evidence presented at trial was not sufficient to prove beyond a reasonable doubt that she illegally accessed Saravia’s account, thereby committing breach of computer security. Muhammed v. State, supra. The Court of Appeals basically reviewed the evidence outlined above and held that it was, in fact, sufficient to support the conviction. Muhammed v. State, supra.

The Court of Appeals also rejected Muhammed’s argument that the trial judge abused his discretion in denying her motion for a new trial; it did not reach the merits of the motion. Muhammed v. State, supra. Instead, it held that Muhammed had waived this issue by “failing to adequately brief it” on appeal. Muhammed v. State, supra. It therefore affirmed the conviction. Muhammed v. State, supra.

This obviously isn’t a case that presented any novel legal issues (except, I guess, the notion of illegally accessing a computer as a breach of computer security). I decided to write it about it because of the rather unusual name of the crime . . . and because this is one of those cases where you have to wonder what the defendant was thinking. . . .