After he
was convicted of three counts of computer trespass in violation of New York Penal Law § 156.10, three counts of computer tampering in the third degree in
violation of New York Penal Law § 156.25[1], one count of unlawful duplication
of computer related material in the first degree in violation of New York Penal Law § 156.30[2] and one count of criminal possession of computer related
material in violation of New York Penal Law § 156.35, Louis Puesan
appealed. People v. Puesan, 2013 WL 5525987 (New York Supreme Court – Appellate Division 2013). (For the
convictions, he was sentenced to “an aggregate term of five years’
probation.” People v. Puesan, supra.)
As to how
the case arose, the opinion explains that on November 9, 2007, Puesan was
placed on disability leave from his job as a field technician
for Time Warner Cable. . . . [A]n employee who is placed on work leave is not
considered an active employee; his or her access card is disabled and thus
cannot be used to gain access to the company's offices.
This policy is
announced in employee handbooks provided to employees, and any employee placed
on leave is instructed by human resources department personnel regarding that
policy. Since the public is not allowed to enter Time Warner Cable's Northern
Manhattan office, security guards are stationed outside to ensure those
entering the building have valid ID cards.
[At trial,] David Lopez, a head-end technician for Time
Warner Cable, testified that sometime in late January or early February 2008,
he arrived at work at the company's Northern Manhattan office . . . and spotted
[Puesan] nearby. During a brief conversation, [Puesan] asked Lopez for [his]
personal log-in and password for Time Warner Cable's billing and customer
information system, CSG, but Lopez refused.
[Puesan said] he would find another
way to get that information. Specifically, . . . [Puesan] said he `might use a
keylogger’ to get the password he needed to gain access. . . . Lopez warned
Monty Harris, a Time Warner Cable crew chief and field technician, and two
supervisors, Lance Giancotti and Thomas Bonelli, that [Puesan] might do
something to the computers in the company's `service ready room.’ The service
ready room is accessible to all employees, and contains three computers, one
main computer and two `thin client’ computers. All three computers are
installed with a program, CSG, that gives employees access to customers'
personal information.
People v. Puesan, supra.
The
opinion says it was “undisputed” that on February 10, 2008, Puesan entered the
Time Warner Cable Northern Manhattan office at 5:17 p.m., and
left at 6:03 p.m. [At 5:30 p.m.,] Lopez . . . saw [him] using a computer in the
service ready room. . . .[W]hile Lopez and Harris saw [Puesan] using all three
of those computers . . . neither could see what he was doing with [them]. . . .
From the time he first saw [Puesan] using the computers to
the time he left at 6:30 p.m., Harris saw no other individual using [them]. [He]
did not notify anyone about [Puesan’s] use of the computer at the time; nor did
he check the computers after [Puesan] left.
The following morning, . . . Harris logged on to the
computers in the service ready room and noticed a program, Cracks, was open and
running on the main computer. Harris was curious as to what the program was,
and . . . visited the website and found it was a site that showed `how to generate
password keys for software.’ This website and program was used to gain access
to password-protected software. Harris discovered the same program was open and
running on the other two computers in the room.
As Harris went to report his
findings, he saw Lopez walking in to the room. He and Lopez talked, and Harris
reported his findings to Paul Hart, a foreman. Hart notified supervisor Lance
Giancotti about the situation, and Giancotti concluded there had been a
security breach.
Giancotti reported the security breach to Sandip Gupta, Time
Warner Cable's Senior Director of Information Technology, and Gupta directed
Marc Rosenthal, the IT Manager of Network Support, to go to the Northern
Manhattan office to examine the three computers in the service ready room. On
examining the computers, Rosenthal noticed a program, Winvestigator, that was
never installed or used by Time Warner Cable.
Rosenthal took screen shots of the
computers, which showed Winvestigator was installed on each of [them] between
5:45 p.m. and 6:15 p.m. on February 10, 2008. A search through the computers'
browser history revealed a site called Tropical Software was visited on all
three computers, and Rosenthal discovered Winvestigator could be downloaded and
purchased from that site. Rosenthal gathered and secured the computers to take
them to Time Warner's 23rd Street office.
When the computers arrived at Time Warner Cable's lab on 23rd
Street, Rosenthal and Gupta discovered unplugging them had caused the hard drives
to be erased on the two `thin client’ computers. However, the main computer's
hard drive remained intact, and Rosenthal was able to make a copy to analyze
without damaging the contents of the original hard drive.
[He] was unable to access Winvestigator's log file, which
keeps track of the program's information and data, and discovered it had been
password protected. To gain access to [it] Gupta purchased a `back-door’
password to . . . Winvestigator. Rosenthal was able to access the program. He
discovered [it] had stored his own password as well as Giancotti's. The
individual who installed Winvestigator on the Time Warner computers . . . had
set the program's password to `lp.’
People v. Puesan, supra.
Tom Allen, Time Warner Cable's Vice President of Security,
was notified of the problem in the Northern Manhattan office and reported it to
the New York City Police Department. People v. Puesan,
supra. On
April 3, Allen and Rosenthal turned over two hard drives and a desktop computer
tower to Detective Jorge Ortiz, of the NYPD's Computer Crime Squad, who was
trained in computer forensics. People v. Puesan, supra. Ortiz made copies of the hard drives and
desktop tower and conducted a forensic analysis on the copies. People v.
Puesan, supra.
He ran a program named NetAnalysis,
which analyzes the computer's Internet history, and two malware detection
programs, Gargoyle and Encase. He found that on February 10, 2008, at 5:32:09
p.m., someone visited . . . Cracks.com, which provides individuals with access
codes and key generators to access specific software. Additionally, between
5:32:58 p.m. and 5:58:19 p.m., someone visited the home page of Tropical
Software, which makes Winvestigator, and downloaded the program.
Both Gargoyle and Encase showed Winvestigator
[was] installed on the desktop computer on February 10, 2008. . . . Ortiz
determined Winvestigator's settings were set to log keystrokes, user sign-ons,
and the times programs opened and closed.
[It was also] programmed to
self-encrypt and not warn others that the program was running, so anyone
without the programmed password would be unable to look at the Winvestigator
log file, because it would display only incomprehensible text. Ortiz determined
Winvestigator had started to log keystrokes at 5:37 p.m. on February 10, 2008.
People v. Puesan, supra.
On appeal,
Puesan claimed the evidence presented at trial (and summarized above) was not sufficient to prove his guilty of the charges against him beyond a reasonable doubt. People v. Puesan, supra. The court began its analysis of the argument
by explaining that to “determine the legal sufficiency of the evidence to
support a conviction, the Court must view the evidence in the light most
favorable to the People to decide whether any rational trier of fact, using any
valid line of reasoning, could have found the elements of each crime beyond a
reasonable doubt.” People v. Puesan,
supra.
The
Appellate Division began with Puesan’s convictions for computer trespass,
noting that "under Penal Law § 156.10,” the evidence must show he
“`knowingly use[d] . . . or accesse[d] a computer . . . or computer network without authorization and
. . . knowingly gain[ed] access to
computer material.’” People v. Puesan,
supra. Puesan claimed he could not
be “convicted of accessing `computer material’ because he did not gain access
to the types of materials defined in the statute” and the evidence did not
prove “he lacked authorization to use the three computers.” People v. Puesan, supra.
The court
disagreed, finding, first, that the evidence “fully supports” the conclusion
that Puesan accessed Time Warner’s computers when he was not authorized to do
so:
Time Warner announced in its employee handbook that employees
on disability leave were prohibited from entering the building, and the company
deactivated those employees' access cards; this establishes that [he] had
actual notice that he lacked authorization to enter the building and to use the
company's computers.
Furthermore, [Puesan’s] request of Lopez to use his log-in
information, Lopez's refusal, and [Puesan’s] reply that he would find another
way to access the system, support the finding that [he] was aware of his lack
of authorization.
People v. Puesan, supra.
As to
Puesan’s argument that he did not access computer material, the court noted
that under New York Penal Law § 156.00[5], computer material consists of
computer data or a computer program that “`is not and is not intended to be
available to anyone other than the person . . . rightfully in possession’” of
it and that “accords or may accord such rightful possessors an advantage over
competitors or other persons who do not have knowledge or the benefit thereof’”.
People v. Puesan, supra
(quoting §156.00[5]).
The court explained that by using log-in information and
passwords obtained through his use of the keystroke-logging program Puesan was
able to obtain information that was not meant “to be available to anyone but
Time Warner and its “authorized employees”.
People v. Puesan, supra. It also found that the information was the
“sort of information businesses have an interest in protecting and keeping away
from competitors.” People v. Puesan, supra. It
therefore found the evidence supported Puesan’s convictions for computer
trespass. People v. Puesan, supra.
The court
then took up Puesan’s challenge to his convictions for computer tampering,
noting that the crime “is committed when the individual uses or accesses a computer
without authorization and `intentionally alters in any manner or destroys
computer data or a computer program of another person’”. People v. Puesan, supra (quoting New
York Penal Law § 156.20). Since the Appellate Division had already found that “the
evidence supports the finding that [Puesan] used or accessed three Time Warner
computers without authorization”, the only issue to be resolved was whether it
proved beyond a reasonable doubt that he intentionally altered or destroyed computer
data or a computer program.” People v.
Puesan, supra.
The court
found that it did: “The installation of
a program that secretly monitors and replicates other users' keystrokes, and
self-encrypts if the wrong password is used to attempt access to it,
constitutes an alteration of the computer programs or programs on of the
computers on which it was installed.” People
v. Puesan, supra. The Appellate
Division therefore affirmed his convictions for this offense. People v. Puesan, supra.
Next, Puesan
challenged his conviction for unlawful duplication of computer related material
in violation of New York Penal Law § 156.30[2].
People v. Puesan, supra. The court noted that someone commits this
offense when “having no right to do so, he or she copies, reproduces or duplicates
in any manner . . . any computer data or computer program with an intent to
commit or attempt to commit or further the commission of any felony.” People v. Puesan, supra (quoting §
156.30[2]). Puesan argued that “there is insufficient evidence that he duplicated
or copied computer materials.” People v. Puesan, supra. The Appellate Division, however, found that
the act of installing
a keystroke logging program to reproduce other
employees' user ID's and passwords amounts to arranging for the duplication of
that log-in information, to which [Puesan] alone gained access. The finding
that [he] arranged for the duplication of the user log-in information in
furtherance of his commission of the felony of computer trespass is fully
supported by the evidence.
People v. Puesan, supra.
Finally,
Puesan challenged his conviction for criminal possession of computer related
material. People v. Puesan, supra. One
is guilty of this offense when he/she “having no right to do so,” knowingly
possesses, “in any form, any copy, reproduction or duplicate of any computer
data or computer program which was copied, reproduced or duplicated in
violation of [New York Penal Law §] 156.30 . . . with intent to
benefit himself or a person other than an owner thereof.” New York Penal
Law § 156.35. Puesan argued that “it was
not proven that he `possessed’ computer related materials with the intent to
`benefit’ himself”. People v. Puesan, supra.
The
Appellate Division did not agree. It
noted, first, that it had already “determined that there is legally sufficient
evidence to establish that [Puesan] arranged for the duplication of computer
data in violation of Penal Law § 156.30”.
People v. Puesan, supra. The
court then found that there
is no requirement that [Puesan] physically, tangibly possess
the copies or duplicates of the information stored by the Winvestigator
program; the statute expressly states that possession `in any form’ is
sufficient. Since [he] alone had access to and exercised control over the
information Winvestigator duplicated, it follows that he constructively
possessed such duplicated materials.
As to whether his possession of the illicitly duplicated
computer data was `with intent to benefit himself or a person other than an
owner thereof,’ [Puesan’s] expressed desire to gain access to Time Warner's CSG
program, as well as the actions he took to gain that access, permit the
inference that he intended to benefit either himself or someone else with the
information he could obtain from the CSG system.
People v. Puesan, supra.
The court
therefore affirmed his conviction and sentence on all charges. People v. Puesan, supra. If you are interested, you can find a press
release on the case here.
No comments:
Post a Comment