After a “twelve-count
indictment was filed against Daniel Stratman on June 19, 2013”, he filed a
motion to dismiss the first two counts (“Counts I and II”), which charged him
with violating 18 U.S. Code § 1030(a)(5)(A).
U.S. v. Stratman, 2013 WL
5676874 (U.S. District Court for the Northern District of Nebraska 2013).
The federal district court judge who has the case
begins his opinion by explaining that the counts alleged the following:
DANIEL STRATMAN, knowingly caused the transmission of a
program, information, code, and command, and, as a result of such conduct,
intentionally caused damage without authorization to a protected computer, to
wit, the University of Nebraska and Nebraska State College Systems computer
systems, and the offense caused loss to a person or persons during a 1-year
period, from the defendant's course of conduct affecting a protected computer,
aggregating at least $5,000 in value.
U.S. v. Stratman, supra. You can read more about the charges, and what (allegedly)
led Stratman to be charged with these and other crimes, in the stories you can
find here and here.
As
Wikipedia explains, under Rule 12 of the Federal Rules of Criminal Procedure, a
defendant can file a motion arguing that one or more of the charges against
him/her must be dismissed because it is/they are legally insufficient. The judge began his ruling on Stratman’s
motion by explaining that
`[a]n indictment is legally sufficient on its face if it
contains all of the essential elements of the offense charged, fairly informs
the defendant of the charges against which he must defend, and alleges
sufficient information to allow a defendant to plead a conviction or acquittal
to bar a subsequent prosecution.’ U.S. v. Fleming, 8 F.3d 1264
(U.S. Court of Appeals for the 8th Circuit 1993).
The defendant argues the Indictment is defective because it
fails to include an essential element of the offense; specifically, he claims
any charge against him for violating18 U.S. Code § 1030(a)(5)(A) must
allege Stratman was not `permitted initial authorized access’ to the University
computer system.
To resolve the defendant's motion, the court must
determine the meaning of 18 U.S. Code § 1030(a)(5)(A) and the
elements required to prove it was violated. “If the plain language of [a]
statute is unambiguous, that language is conclusive absent clear legislative
intent to the contrary.
U.S. v. Stratman, supra.
The judge began his analysis of Stratman’s argument that the
§ 1030(a)(5)(A) charges were deficient by explaining that the statute, which
imposes liability and punishment on
anyone who `knowingly causes the
transmission of a program, information, code, or command, and as a result of
such conduct, intentionally causes damage without authorization, to a protected
computer.’
[Stratman’s] argument is premised on the claim that he `was
authorized to access the protected computer, and used that authorization to
access data in the computer for which he was not authorized, thereby exceeding
his authorization.’ . . .
[He] argues that while he admittedly exceeded the
scope of his authorized access, he did not act `without authorization’ within
the meaning of § 1030(a)(5)(A) because his initial access
to the system was authorized.
In
other words, [Stratman] claims § 1030(a)(5)(A) `cannot be criminally
violated by one who was authorized to access the computer at the time he caused
the alleged damage.’ . . . As the Magistrate Judge's findings and recommendation
persuasively explain, [Stratman’s] reading of the statute is unsupported.
The
phrase `without authorization’ modifies the phrase `intentionally causes
damages’: that is, one who is authorized to access a system, but not authorized
to damage it, violates the statute by intentionally damaging it `without
authorization.’
U.S. v. Stratman, supra.
In the
paragraph above, the U.S. District Court Judge is referring to the “Findings,
Recommendation and Order” a U.S. Magistrate Judge drafted for the District
Court Judge. U.S. v. Stratman, supra.
As Wikipedia notes, a District Court Judge can refer a matter, such as a
motion to dismiss, to a Magistrate Judge to have the latter analyze the issues
and write a “report and recommendation” to the judge. That is what happened here; in this
opinion the District Court Judge is ruling on Stratman’s motion and, in so
doing, relying on the Magistrate Judge’s Findings, Recommendation and Order.
Getting
back to the case, the opinion says Stratman claimed the Magistrate Judge
erred because the phrase `without authorization’ refers to `the element of access to the protected computer.’ . . . [Stratman] asserts that it is `manifest that an essential element of a violation of the Act would be that the person access the protected computer without authorization or by exceeding the authorization given.’ . . .
But that is not obvious at all, particularly in
context. Section 1030(a)(5) provides punishment for one who
(A) knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct, intentionally
causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without
authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without
authorization, and as a result of such conduct, causes damage and loss.
U.S. v. Stratman, supra.
The judge
then explained that
[i]t is apparent from § 1030(a)(5)(B) and (C) that Congress knew exactly how to require proof that a defendant's access to a computer was unauthorized. ‘”[W]here Congress includes particular language in one section of a statute but omits it in another section of the same Act, it is generally presumed that Congress acts intentionally and purposely in the disparate inclusion or exclusion.’” Dean v. U.S., 556 U.S. 568 (2009) (quoting Russello v. U.S., 464 U.S. 16 (1983)).
There is, in fact, nothing in § 1030(a)(5)(A) to
suggest that access to a protected computer is an element of the offense at
all, whether or not it was authorized. Nor is that surprising: it is possible
for a perpetrator to damage a computer system by distributing a computer virus,
for instance, without ever directly accessing the damaged system.
The fact that
the defendant in this case did access the system, with authorization, does not
change the fact that if he intentionally damaged the system without
authorization, he may be charged with violating § 1030(a)(5)(A).
U.S. v. Stratman, supra.
The
District Court Judge then noted that while he found “that result to be
compelled by the plain language of the statute,” he also found that it was
supported by the statute’s legislative history. U.S. v. Stratman, supra. He pointed out that the “Senate
Judiciary Committee's report on the bill containing the relevant provision”
contains the following:
Specifically, as amended, subsection 1030(a)(5)(A) would
penalize, with a fine and up to 5 years' imprisonment, anyone who knowingly
causes the transmission of a program, information, code or command and
intentionally causes damage to a protected computer.
This would cover anyone
who intentionally damages a computer, regardless of whether they were an
outsider or an insider otherwise authorized to access the computer. Subsection
1030(a)(5)(B) would penalize, with a fine and up to 5 years' imprisonment, anyone
who intentionally accesses a protected computer without authorization and, as a
result of that trespass, recklessly causes damage. This would cover outside[ ]
hackers into a computer who recklessly cause damage.
Finally, subsection
1030(a)(5)(C) would impose a misdemeanor penalty, of a fine and up to 1 year
imprisonment, for intentionally accessing a protected computer without
authorization and, as a result of that trespass, causing damage. This would
cover outside hackers into a computer who negligently or accidentally cause
damage.
In sum, under the bill, insiders, who are authorized
to access a computer, face criminal liability only if they intend to cause
damage to the computer, not for recklessly or negligently causing damage. By
contrast, outside hackers who break into a computer could be punished for any
intentional, reckless, or other damage they cause by their trespass.
The rationale for this difference in treatment deserves
explanation. Although those who intentionally damage a system, without
authority, should be punished regardless of whether they are authorized users, it
is equally clear that anyone who knowingly invades a system without authority
and causes significant loss to the victim should be punished as well, even when
the damage caused is not intentional. . . .
[I]t is better to ensure that section
1030(a)(5) criminalizes all computer trespass, as well as
intentional damage by insiders, albeit at different levels of
severity.
U.S. v. Stratman, supra (quoting U.S. Senate Report No. 104–357 (1996) (emphasis added in the opinion)).
After
quoting this report, the judge pointed out that “both the language of the
statute and the legislative history support the conclusion that unauthorized
access to the protected computer system is not an element of
the offense defined by § 1030(a)(5)(A).” U.S. v. Stratman, supra (emphasis in the original).
He then
noted that Stratman
reasserts his contention that the phrase `without
authorization’ should not be related to the phrase “intentionally causes
damage” because it would not make sense for someone to be authorized to cause
damage. The Magistrate Judge's rejection of that point was persuasive, and the
Court need not restate it.
Anyone who has ever redecorated a home, for instance, is
familiar with the basic principle that sometimes `damage’ is necessary to
facilitate reconstruction or improvement. In the context of information
technology, the simplest example may be clearest: old files get deleted all the
time.
U.S. v. Stratman, supra.
The judge
therefore denied Stratman’s motion to dismiss. U.S. v. Stratman, supra.
No comments:
Post a Comment