Wednesday, October 30, 2013

The Computer Science Student, Authorization and the University

After a “twelve-count indictment was filed against Daniel Stratman on June 19, 2013”, he filed a motion to dismiss the first two counts (“Counts I and II”), which charged him with violating 18 U.S. Code § 1030(a)(5)(A).  U.S. v. Stratman, 2013 WL 5676874 (U.S. District Court for the Northern District of Nebraska 2013).   

The federal district court judge who has the case begins his opinion by explaining that the counts alleged the following:

DANIEL STRATMAN, knowingly caused the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused damage without authorization to a protected computer, to wit, the University of Nebraska and Nebraska State College Systems computer systems, and the offense caused loss to a person or persons during a 1-year period, from the defendant's course of conduct affecting a protected computer, aggregating at least $5,000 in value.

In violation of 18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B).

U.S. v. Stratman, supra.  You can read more about the charges, and what (allegedly) led Stratman to be charged with these and other crimes, in the stories you can find here and here.

As Wikipedia explains, under Rule 12 of the Federal Rules of Criminal Procedure, a defendant can file a motion arguing that one or more of the charges against him/her must be dismissed because it is/they are legally insufficient.  The judge began his ruling on Stratman’s motion by explaining that

`[a]n indictment is legally sufficient on its face if it contains all of the essential elements of the offense charged, fairly informs the defendant of the charges against which he must defend, and alleges sufficient information to allow a defendant to plead a conviction or acquittal to bar a subsequent prosecution.’ U.S. v. Fleming, 8 F.3d 1264 (U.S. Court of Appeals for the 8th Circuit 1993).  

The defendant argues the Indictment is defective because it fails to include an essential element of the offense; specifically, he claims any charge against him for violating18 U.S. Code § 1030(a)(5)(A) must allege Stratman was not `permitted initial authorized access’ to the University computer system.

To resolve the defendant's motion, the court must determine the meaning of 18 U.S. Code § 1030(a)(5)(A) and the elements required to prove it was violated. “If the plain language of [a] statute is unambiguous, that language is conclusive absent clear legislative intent to the contrary. 

U.S. v. Stratman, supra.  

The judge began his analysis of Stratman’s argument that the § 1030(a)(5)(A) charges were deficient by explaining that the statute, which imposes liability and punishment on

anyone who `knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.’ 

[Stratman’s] argument is premised on the claim that he `was authorized to access the protected computer, and used that authorization to access data in the computer for which he was not authorized, thereby exceeding his authorization.’ . . . 

[He] argues that while he admittedly exceeded the scope of his authorized access, he did not act `without authorization’ within the meaning of § 1030(a)(5)(A) because his initial access to the system was authorized.

In other words, [Stratman] claims § 1030(a)(5)(A) `cannot be criminally violated by one who was authorized to access the computer at the time he caused the alleged damage.’ . . . As the Magistrate Judge's findings and recommendation persuasively explain, [Stratman’s] reading of the statute is unsupported. 

The phrase `without authorization’ modifies the phrase `intentionally causes damages’: that is, one who is authorized to access a system, but not authorized to damage it, violates the statute by intentionally damaging it `without authorization.’

U.S. v. Stratman, supra.  

In the paragraph above, the U.S. District Court Judge is referring to the “Findings, Recommendation and Order” a U.S. Magistrate Judge drafted for the District Court Judge. U.S. v. Stratman, supra.  As Wikipedia notes, a District Court Judge can refer a matter, such as a motion to dismiss, to a Magistrate Judge to have the latter analyze the issues and write a “report and recommendation” to the judge.  That is what happened here; in this opinion the District Court Judge is ruling on Stratman’s motion and, in so doing, relying on the Magistrate Judge’s Findings, Recommendation and Order.

Getting back to the case, the opinion says Stratman claimed the Magistrate Judge

erred because the phrase `without authorization’ refers to `the element of access to the protected computer.’ . . . [Stratman] asserts that it is `manifest that an essential element of a violation of the Act would be that the person access the protected computer without authorization or by exceeding the authorization given.’ . . . 

But that is not obvious at all, particularly in context. Section 1030(a)(5) provides punishment for one who

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

U.S. v. Stratman, supra.  

The judge then explained that

[i]t is apparent from § 1030(a)(5)(B) and (C) that Congress knew exactly how to require proof that a defendant's access to a computer was unauthorized. ‘”[W]here Congress includes particular language in one section of a statute but omits it in another section of the same Act, it is generally presumed that Congress acts intentionally and purposely in the disparate inclusion or exclusion.’” Dean v. U.S., 556 U.S. 568 (2009) (quoting Russello v. U.S., 464 U.S. 16 (1983)).

There is, in fact, nothing in § 1030(a)(5)(A) to suggest that access to a protected computer is an element of the offense at all, whether or not it was authorized. Nor is that surprising: it is possible for a perpetrator to damage a computer system by distributing a computer virus, for instance, without ever directly accessing the damaged system. 

The fact that the defendant in this case did access the system, with authorization, does not change the fact that if he intentionally damaged the system without authorization, he may be charged with violating § 1030(a)(5)(A).

U.S. v. Stratman, supra.  

The District Court Judge then noted that while he found “that result to be compelled by the plain language of the statute,” he also found that it was supported by the statute’s legislative history. U.S. v. Stratman, supra.  He pointed out that the “Senate Judiciary Committee's report on the bill containing the relevant provision” contains the following:  

Specifically, as amended, subsection 1030(a)(5)(A) would penalize, with a fine and up to 5 years' imprisonment, anyone who knowingly causes the transmission of a program, information, code or command and intentionally causes damage to a protected computer.  

This would cover anyone who intentionally damages a computer, regardless of whether they were an outsider or an insider otherwise authorized to access the computer. Subsection 1030(a)(5)(B) would penalize, with a fine and up to 5 years' imprisonment, anyone who intentionally accesses a protected computer without authorization and, as a result of that trespass, recklessly causes damage. This would cover outside[ ] hackers into a computer who recklessly cause damage. 

Finally, subsection 1030(a)(5)(C) would impose a misdemeanor penalty, of a fine and up to 1 year imprisonment, for intentionally accessing a protected computer without authorization and, as a result of that trespass, causing damage. This would cover outside hackers into a computer who negligently or accidentally cause damage.

In sum, under the bill, insiders, who are authorized to access a computer, face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage. By contrast, outside hackers who break into a computer could be punished for any intentional, reckless, or other damage they cause by their trespass.

The rationale for this difference in treatment deserves explanation. Although those who intentionally damage a system, without authority, should be punished regardless of whether they are authorized users, it is equally clear that anyone who knowingly invades a system without authority and causes significant loss to the victim should be punished as well, even when the damage caused is not intentional. . . . 

[I]t is better to ensure that section 1030(a)(5) criminalizes all computer trespass, as well as intentional damage by insiders, albeit at different levels of severity.

U.S. v. Stratman, supra (quoting U.S. Senate Report No. 104–357 (1996) (emphasis added in the opinion)). 

After quoting this report, the judge pointed out that “both the language of the statute and the legislative history support the conclusion that unauthorized access to the protected computer system is not an element of the offense defined by § 1030(a)(5)(A).” U.S. v. Stratman, supra (emphasis in the original).

He then noted that Stratman

reasserts his contention that the phrase `without authorization’ should not be related to the phrase “intentionally causes damage” because it would not make sense for someone to be authorized to cause damage. The Magistrate Judge's rejection of that point was persuasive, and the Court need not restate it.

Anyone who has ever redecorated a home, for instance, is familiar with the basic principle that sometimes `damage’ is necessary to facilitate reconstruction or improvement. In the context of information technology, the simplest example may be clearest: old files get deleted all the time.

U.S. v. Stratman, supra.  

The judge therefore denied Stratman’s motion to dismiss. U.S. v. Stratman, supra.  

No comments: