Monday, May 15, 2017

Computer Crime, “Using” a Computer and the Motion for Judgment of Acquittal

This post examines a recent opinion from the Court of Appeals of Oregon: State v. Tecle, 2017 WL 1929845 (2017). The court begins its opinion by explaining that
[d]efendant appeals a judgment of conviction for 18 counts of identity theft, [Oregon Revised Statutes] 165.800; 12 counts of theft in the second degree, [Oregon Revised Statutes] 164.045; and 18 counts of computer crime, [Oregon Revised Statutes] 164.377(2). He assigns error to the trial court's denial of his motion for a judgment of acquittal on the computer crime counts, arguing that evidence that he knowingly provided false information to banks was not sufficient to show that he `used’ a computer within the meaning of [Oregon Revised Statutes] 164.377(2), because the state should have been required to prove that he directly accessed or manipulated the banks' computers. 
State v. Tecle, supra.
The Court of Appeals went on to point out that
[w]hen denial of a defendant's motion for a judgment of acquittal `centers on the meaning of the statute defining the offense,’ we review the interpretation of the statute for legal error.. State v. Hunt, 270 Or. App. 206, 210, 346 P.3d 1285 (2015) (internal quotation marks and citation omitted). In determining the sufficiency of the evidence, we review the facts in the light most favorable to the state to determine whether a rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt. State v. Cunningham, 320 Or. 47, 63, 880 P.2d 431 (1994), cert. den., 514 U.S. 1005 (1995).
State v. Tecle, supra.
The court then explained why the charges were brought against Tecle:
The relevant facts are undisputed. In September and October 2012, defendant engaged in a scheme to defraud two banks. Defendant personally visited several bank branches and opened checking and savings accounts. Defendant provided the banks' employees with false information, primarily fraudulent social security numbers and home addresses. The bank employees relied on the information defendant provided, entering that information into the banks' computer systems to create bank accounts for defendant. Defendant activated automatic teller machine (ATM) cards and provided worthless checks for deposit into his new accounts. In compliance with federal law, the banks made at least $100 available immediately after defendant opened the accounts, before the checks were processed. Shortly after defendant created the accounts, someone other than defendant used the ATM cards and passwords to withdraw credited funds from the accounts or make purchases before the banks could determine the validity of the checks. As a result, the banks suffered financial losses.

Defendant was charged with multiple counts of identity theft, theft in the second degree, and computer crime. At the close of the state's case, defendant moved for a judgment of acquittal on the computer crime counts, among others, arguing that the state failed to present any evidence that defendant `used’ a computer for purposes of ORS 164.377(2). He argued that there was no evidence that he opened an account online or that he withdrew any money from the accounts using an ATM. Defendant argued that, `just because a bank or a business that you go to uses computers, that doesn't mean that [defendant] used a computer.’ The state countered that defendant was `using a computer system’ by `trying to inflate a bank balance’ so that money could be withdrawn later from an ATM. In the state's view, providing false information to a bank employee, who then enters that information into the bank’s computer database, constitutes `using’ a computer under [Oregon Revised Statutes] 164.377(2). The trial court denied defendant's motion, and the jury convicted defendant on all counts.
State v. Tecle, supra.
The opinion then explains that
[o]n appeal, defendant renews his arguments made in the trial court. Defendant contends that the state's interpretation of the term `use’ under [Oregon Revised Statutes] 164.377(2) is overly broad and contrary to the legislature's intent. The state reiterates its arguments, relying primarily on the statute's text and context to contend that defendant “used” the banks' computer systems for purposes of ORS 164.377(2).

The parties' arguments raise a question of statutory interpretation of whether the legislature intended the phrase, to `use’ a computer system, to reach defendant's conduct here. In construing a statute, we consider its text, context, and legislative history, to discern legislative intent. State v. Gaines, 346 Or. 160, 171-72, 206 P.3d 1042 (2009).
State v. Tecle, supra.
The Court of Appeals began its analysis of this issue by explaining that
We begin with the text and context of the computer crime statute. That statute, [Oregon Revised Statutes] 164.377(2), provides:

`Any person commits computer crime who knowingly accesses, attempts to access or uses, or attempts to use, any computer, computer system, computer network or any part thereof for the purpose of:
`a) Devising or executing any scheme or artifice to defraud;
`(b) Obtaining money, property or services by means of false or fraudulent pretenses, representations or promises; or
`(c) Committing theft, including, but not limited to, theft of proprietary information or theft of an intimate image.’

The statute defines various terms, from `access’ to `services.’ For example, to `access’ is `to instruct, communicate with, store data in, retrieve data from or otherwise make use of any resources of a computer, computer system or computer network.’ ORS 164.377(a)(a) (emphasis added). The statute, however, does not define its term `use.’ 
State v. Tecle, supra.
The Court of Appeals then began its analysis of the meaning, and significance, of “using” a computer, explaining, initially, that 
`[b]ecause the legislature has not defined `use,’ we consider the term's ordinary, plain meaning. PGE v. Bureau of Labor and Industries, 317 Or. 606, 611, 859 P.2d 1143 (1993). The verb `use’ at the time the legislature enacted the statute was defined as `to carry out a purpose or action by means of : make instrumental to an end or process : apply to advantage : turn to account [.]’ Webster's Third New Int'l Dictionary 2524 (unabridged ed. 2002). The dictionary explains that `use is general and indicates any putting to service of a thing, usu[ally] for an intended or fit purpose or person [.]’ Id. That broad definition of `use’ posits a range of meanings, and it begs the question whether to `use’ may be directly or indirectly done.’
State v. Tecle, supra.
The opinion goes on to outline the arguments made by both parties, stating with Tecle:
Both parties argue that the text and context of [Oregon Revised Statutes] 164.377(2) supports their positions. Defendant observes that the plain meaning of `use’ can be either broad or narrow. Defendant argues that the `apply to advantage’ definition of `use’ connotes a `broad definition in which a person could take advantage of something indirectly, without accessing or manipulating it.’ Defendant contrasts that meaning of `use’ with the meaning of the phrases,`putting to service of a thing’ and `mak[ing] instrumental to an end.’ Webster's at 2524. He argues that the latter meaning of `use’ connotes a `more narrow definition in which a person directly manipulates something for an intended purpose, and that the thing being used be crucial to achieving that intended purpose.’ Defendant reasons that, because [Oregon Revised Statutes] 164.377(2) requires that the individual `use’ the computer `for the purpose of’ one of several prohibited activities, the context implies the direct manipulation of the computer for an intended and prohibited purpose, rather than indirectly taking advantage of someone else's manipulation of a computer system. Therefore, defendant posits that the legislature had a narrow definition of `use’ in mind—specifically to target computer hackers—when it enacted the computer crime statute.
State v. Tecle, supra.
The court then takes up the arguments made by the prosecution, explaining that the
state responds that nothing in the statute connotes a requirement that, to `use’ a computer in order to execute a fraud, the perpetrator must personally enter the fraudulent information into the computer. Applying one meaning of `use,’ the state argues that defendant `used’ a computer because defendant `carried out his purpose to commit fraud by means of the banks' computer networks.’ Or, applying another meaning, the state argues that defendant made the banks' computers `instrumental’ to the end of committing theft by fraud, and thus `used them for that purpose.’

For support, the state cites State v. Osborne, 242 Or. App. 85, 255 P.3d 513 (2011) as an application of the dictionary definition of the term `use’ in a different statute. In that case, we concluded that the evidence was sufficient for a jury to find that the defendant `used’ a knife for purposes of first-degree robbery, ORS 164.415, when he held a knife in his hand and demanded money from a store clerk. Id. at 89-90. Osborne does not resolve the question here, however, because, in that case, the defendant personally held the knife to carry out the robbery. Further, dictionary definitions do not resolve our question. `In construing statutes, we do not simply consult dictionaries and interpret words in a vacuum. Dictionaries, after all, do not tell us what words mean, only what words can mean, depending on their context and the particular manner in which they are used.’ State v. Cloutier, 351 Or. 68, 96, 261 P.3d 1234 (2011) (emphasis in original). In this case, further inquiry is needed to determine the legislature's intent.
State v. Tecle, supra.
The court went on to note that
[l]ike defendant, we acknowledge that the plain meaning of `use’ can be broad or narrow. As the parties' textual arguments demonstrate, the court could reach different results depending on how broadly or narrowly the term `use’ is construed. Recognizing a similar dilemma in interpreting another subsection of ORS 164.377, the Supreme Court looked to legislative history to understand that subsection based on the `context of the technology of the time. State v. Nascimento,’  360 Or. 28, 42-44, 379 P.3d 484 (2016); see State v. Perry, 165 Or. App. 342, 349, 996 P.2d 995 (2000), aff'd, 336 Or. 49, 77 P.3d 313 (2003) (`Context may be found in * * * the historical context of those relevant enactments.’). Although the state's proposed construction of the word `use’ in ORS 164.377(2) is plausible, that construction becomes untenable when considered in light of the legislative history.
State v. Tecle, supra.
The opinion goes on to explain that
[t]he statute, ORS 164.377, began as House Bill (HB) 2795. The bill was originally introduced during the 1985 legislative session to combat the theft of cable television services. See Bill File, HB 2795 (1985) (before amendment). Representatives of the General Telephone Company urged a House Judiciary subcommittee to adopt an amendment to respond to a related and growing problem at the time, described as `computer crime, or computer hackers if you will.’ Tape Recording, House Judiciary Committee, Subcommittee 1, HB 2795, May 6, 1985, Tape 576 (statement of Dave Overstreet, General Telephone Company). Sterling Gibson, an employee of General Telephone Company, explained that many businesses had come to use computers and that the purpose of the amendment was to `prevent people from calling into someone's computer’ to manipulate the data and `create havoc to that business or industry.’ Id. (statement of Sterling Gibson). To illustrate the kind of conduct the amendment sought to prohibit, he provided some examples: people who remotely accessed business computers and altered business documents; students who used computers to automatically `scan’ telephone exchanges for unsecured computer systems into which they could remotely dial; and individuals who publicly posted confidential long-distance telephone `billing codes’ on computer bulletin board systems. Id.
State v. Tecle, supra.
The Court of Appeals went on to explain that this
testimony, and other testimony, supports the sense that the bill was targeted at computer hacking and the direct manipulation of information stored within the computer or computer systems. For example, one legislator expressed concern that the amendment might criminalize the conduct of computer hobbyists who used telephone modems of that era to connect with other computers. Id. (statement of Rep Kopetski). Marion County District Attorney Dale Penn emphasized that the law would not apply to people who are allowed access to computer systems:

`There we get into the definition of ‘access.’ I think * * * if you call up to a computer system and you're not authorized you're probably not even going to be able to get the menu up. If you're calling to a bulletin board you're going to see the menu. And that's not what we're addressing here. We're addressing a computer system in which you're not authorized to dial. You won't know the codes.’

Id. (statement of District Attorney Dale Penn). A committee chair asked why the amendment was necessary in light of a previously enacted `theft of services’ statute. Gibson from General Telephone replied that the amendment was concerned with people utilizing computers to `manipulat[e] * * * documents that are vital to th[e] organization,’ which may or may not constitute theft. He stated that, `[a]gain we are not dealing necessarily with the theft of something, we are dealing with manipulation. We have in the environment computers with the ability of having information being observed by another * * *.’ Id. (statement of Sterling Gibson).

The amendments were adopted in the House Judiciary subcommittee and moved to the House Judiciary Committee and the Senate Judiciary Committee, where testimony again focused on computer hacking. At the House Judiciary Committee, legislative counsel stated that the proposed amendment was introduced to address the `idea of people who use their computers or instruments to get access to computer systems or networks and then gain by using the information or program that belongs to someone else.’ Tape Recording, House Judiciary Committee, HB 2795, May 13, 1985, Tape 613, Side A (statement of legislative counsel) (emphasis added). Before the Senate Judiciary Committee, Dave Overstreet, also from General Telephone, emphasized that the `bill address[es] computer hackers—persons who use computers to defraud. Computers can now be used to talk to other computers.’ Minutes, Senate Judiciary Committee, HB 2795, June 7, 1985, 18 (minutes noting comments; audiotape malfunctioned).
State v. Tecle, supra.
The Court of Appeal then began the process of articulating its holding – its decision – in this case, explaining that
[i]n sum, the legislative history of ORS 164.377 demonstrates that the bill was intended to combat `computer hacking,’ commonly understood as the practice of gaining access to a computer system and often tampering with sensitive data or information stored within. See Nascimento, 360 Or. at 42-44. In 1985, the legislature was concerned with people operating a computer to `call[ ] into someone's computer’ to manipulate the data stored within the computer, accessing someone's computer without authorization, and directly using computers for larcenous or fraudulent purposes. There is no indication that the bill was intended to reach the conduct of a person, such as defendant, who simply provided false information to an authorized employee, who then entered that false information into an employer's computer system. The 1985 legislature did not intend to turn ordinary theft or fraud into a computer crime merely when the victim's employee made authorized use of a computer, doing ordinary data entry, and when the perpetrator did not directly access or manipulate the computer.

The state acknowledges that the legislature's motivation was to criminalize computer hacking, but it argues that the `text the 1985 legislature ultimately adopted is not limited to addressing the problem of trespass-by-computer.’ The state argues that subsections (3) and (4) criminalize computer use that is `without authorization,’ so subsection (2) should be construed more broadly to include `areas outside that concern.’

In Nascimento, 360 Or. at 43-44, the Oregon Supreme Court rejected a similar argument about subsection (4) of ORS 164.377. In that case, the issue was the meaning of the phrase, `without authorization.’ Under 164.377(4), it is a crime to use, access, or attempt to access a computer or computer network `without authorization.’ ORS 164.377(4). The state urged the court to adopt a broad interpretation of `without authorization,’ arguing that the defendant's computer use violated her employer's computer use policies and, therefore, her violation of those policies constituted computer crime under ORS 164.377(4). Nascimento, 360 Or. at 35-36. The court concluded that the legislative history of ORS 164.377 established that the statute was intended to `address the unauthorized access of a computer by ‘hackers' or others who had no authority to use the computer.’ Id. at 43. The state contended that, even if the legislative history reflected those concerns, `the text that the legislature adopted is “not so limited,” and that it prohibits all “access” that is ‘without authorization’” Id. at 43-44 (emphasis in original). The court rejected the state's interpretation, explaining that the legislature may ultimately choose to adopt `broader language that applies to a wider range of circumstances than the precise problem that triggered legislative attention,’ but that `does not mean that we necessarily interpret statutes in the broadest possible sense that the text might permit.’ Id. at 44 (internal quotation marks and citation omitted).
State v. Tecle, supra.
The court then articulated its holding, its decision, on this issue:
[s]imilarly, here, the state urges us to interpret `use’ in the broadest possible sense, notwithstanding the narrower legislative history of ORS 164.377. However, we decline to interpret `use’ to include the situation in the present case, where defendant did not directly access or manipulate a computer or computer system in the commission of theft or fraud. Although defendant induced the banks to act to permit his theft, at all times the victim banks remained in unqualified and uncompromised control of their computer systems. Therefore, we conclude that defendant did not `use’ a computer or computer system within the meaning of ORS 164.377(2). The trial court, therefore, erred in denying defendant's motion for a judgment of acquittal on the computer crime counts.
State v. Tecle, supra.
It therefore held that
[c]onvictions on Counts 2, 5, 8, 11, 14, 16, 18, 21, 24, 26, 28, 31, 34, 36, 38, 41, 44, and 47 reversed; Count 10 reversed and remanded for entry of judgment of conviction for identity theft; remanded for resentencing; otherwise affirmed.
State v. Tecle, supra.


No comments:

Post a Comment