QUESTION

Week 6 – Main Cyber security  

Hello this should be an answer, definition or description, and (if appropriate) a reflection, comment, opinion, or matter for further consideration—for example, did anything surprise or alarm you, or seem incomplete?—discuss whatever seems interesting to you, but be sure to say why it is interesting by briefly making a point that is concise and co-herent.

Your response should reply thoughtfully to any answer or opinion in another stu-dent’s primary post on a topic other than the one you selected for your own primary post. Among other things, a thoughtful response advances the discussion by drawing out, seeking to clarify, or offering distinctions or further observations—by cooperating to find the best amplification of the primary post. You must make a comment that is more than simply “yes, I agree” or “no, I disagree.” Strive to enhance the consideration of the issues at hand. remember to find one point of agreement and one point of disagreement (or else make a new observation of your own).

Prompt #2. Strict Liability, Due Process, Potential Over-Breadth, Prosecutorial Discre-tion.

Consider the casebook at pages 136 -37 (notes 1 & 2 on “strict liability”), pp. 137-38 (note 4 on Due process), and p. 141 (note 6 on breadth and prosecutorial discre-tion—the method of “criminaliz[ing] everything”)

Would you say that the legislature has acted wisely in enacting the CFAA? Has it gone too far? Not far enough?

Prompt #3. Self-Help; Secondary Liability.

Consider the casebook at pp. 141-44 (self-help by hacking back) and note 5 ([sec-ondary liability: making ISP’s liable for criminal acts of users; or making some users liable for their negligence causing harm to others on the network).

Would you say that either one of these (authorizing hack-back, or making persons other than the pirate liable) is a good idea? Can you think of undesired consequences (costs) that might follow? Would the benefits of either of these ideas outweigh the costs?

source- . The “Casebook”: ORIN KERR, COMPUTER CRIME LAW, West (fourth edition, 2018) ISBN: ISBN-13: 978-1-634-59899-6. (there is an e-book version available)

Attached

 First Block. Casebook, pp. 83-107 (and see the statutory provisions in the supplement). Computer Misuse Crimes described in Section 1030(a) of the CFAA:

• (a)(2) unauthorized access including misdemeanors and felony enhancements,
• (a)(3) government computers [note 3 at p. 96-97], and
• (a)(4) computer fraud.

D.18 U.S.C. § 1030(a)(2) AND ITS FELONY ENHANCEMENTS

It is now time to study a few provisions of 18 U.S.C. § 1030(a) in depth. We will start with § 1030(a)(2), which is the most commonly charged section of the statute. Section 1030(a)(2) states that it is a crime if a person:

intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(A)information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(B)information from any department or agency of the United States; or

(C)information from any protected computer.

How serious are § 1030(a)(2) violations under federal law? It depends. Federal law classifies crimes into felonies and misdemeanors. Misdemeanors are less serious offenses, and felonies are more serious offenses. Federal law classifies misdemeanors as crimes punishable by one year or less of prison time. Felonies are crimes that allow the possibility of a sentence of more than one year of prison. See 18 U.S.C. § 3559(a). As a result, it is possible to classify federal crimes as felonies or misdemeanors based on the maximum statutory punishment the offense allows.

Under this framework, the seriousness of § 1030(a)(2) violations depends on the circumstances. Ordinarily, 18 U.S.C. § 1030(a)(2) are misdemeanors. See 18 U.S.C. § 1030(c)(2)(A). However, violations of the statute can become felony crimes if the government proves additional elements of the crime found in 18 U.S.C. § 1030(c)(2)(B):

84

(i)the offense was committed for purposes of commercial advantage or private financial gain;

(ii)the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

(iii)the value of the information obtained exceeds $5,000.

In effect, the three provisions in § 1030(c)(2)(B) can be considered add-ons to 18 U.S.C. § 1030(a)(2) liability. If the government charges a felony violation of § 1030(a)(2) and alleges one of these three provisions, it must prove the existence of the provision as an extra element of the offense beyond a reasonable doubt. If the government cannot prove the felony element, the government can obtain a misdemeanor conviction under § 1030(a)(2), as the misdemeanor violation is a lesser-included offense of the felony charge.

The materials will explore 18 U.S.C. § 1030(a)(2) by beginning with the misdemeanor provisions and then turning to the felony enhancements.

1.18 U.S.C. § 1030(a)(2) MISDEMEANOR LIABILITY

The starting point of misdemeanor liability under 18 U.S.C. § 1030(a)(2) is an intentional act of access without authorization or exceeding authorized access. The Senate Report that accompanied a change of the mental state from “knowingly” to “intentionally” in 1986 offered the following explanation of the intent requirement:

Intentional acts of unauthorized access—rather than mistaken, inadvertent, or careless ones—are precisely what the Committee intends to proscribe. The Committee is concerned that the “knowingly” standard in the existing statute might be inappropriate for cases involving computer technology. The Senate’s Report on the Criminal Code states that a person is said to act knowingly if he is aware “that the result is practically certain to follow from his conduct, whatever his desire may be as to that result.”

While appropriate to many criminal statutes, this standard might not be sufficient to preclude liability on the part of those who inadvertently “stumble into” someone else’s computer file or computer data. This is particularly true in those cases where an individual is authorized to sign onto and use a particular computer, but subsequently exceeds his authorized access by mistakenly entering another computer file or data that happens to be accessible from the same terminal. Because the user had “knowingly” signed onto that terminal in the first place, the danger exists that he might incur liability for his mistaken access 85to another file. This is so because, while he may not have desired that result, i.e., the access of another file, it is possible that a trier of fact will infer that the user was “practically certain” such mistaken access could result from his initial decision to access the computer.

The substitution of an “intentional” standard is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another. Again, this will comport with the Senate Report on the Criminal Code, which states that “intentional” means more than that one voluntarily engaged in conduct or caused a result. Such conduct or the causing of the result must have been the person’s conscious objective.

84. Rep. No. 99–432, reprinted in 1986 U.S.C.C.A.N. 2479, 2483–84.

When you first read § 1030(a)(2), it may seem that the elements of misdemeanor liability contain several important provisions beyond intentional unauthorized access. In truth, however, these requirements provide relatively low thresholds. These low thresholds ensure that § 1030(a)(2) misdemeanor liability is the broadest kind of liability in the CFAA.

Consider the requirement that the defendant must obtain information under (a)(2)(A), (B), or (C). The Senate Report that accompanied the passage of § 1030(a)(2) explains that this is a very low hurdle:

The Department of Justice has expressed concerns that the term “obtains information” in 18 U.S.C. 1030(a)(2) makes that subsection more than an unauthorized access offense, i.e., that it might require the prosecution to prove asportation of the data in question. Because the premise of this subsection is privacy protection, the Committee wishes to make clear that “obtaining information” in this context includes mere observation of the data. Actual asportation, in the sense of physically removing the data from its original location or transcribing the data, need not be proved in order to establish a violation of this subsection.

2484. Rep. No. 99–432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2484. It is unclear whether § 1030(a)(2) requires actual observation of the data or whether merely coming into possession of the data is sufficient. In any event, the fact that most computer intruders will see information inside the victim network means that most computer hacking will end up violating 18 U.S.C. § 1030(a)(2).

Misdemeanor liability under § 1030(a)(2) also requires the government to show that the computer satisfied one of the categories of computers listed in § 1030(a)(2)(A)–(C). On one hand, sections 1030(a)(2)(A) and (a)(2)(B) are narrow. The former covers financial records as defined in § 1030(e)(4)–(5), and the latter covers only information obtained from United States government computers as defined in § 1030(e)(7). But these provisions generally do not matter because § 1030(a)(2)(C) has vast scope. Section 1030(a)(2)(C) requires that information be obtained from any “protected computer.” Section 1030(e)(2) defines a “protected computer” as a computer:

(A)exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B)which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.

As we will see in Chapter 7, most computers are “protected computers” because computers that affect interstate commerce includes any computers that can be regulated under the scope of the Commerce Clause of the United States Constitution.

Further, the statutory definition of “computer” is very broad. 18 U.S.C. § 1030(e)(1) defines “computer” as:

an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device.

Courts have interpreted this definition expansively. Consider two cases. First, in United States v. Mitra, 405 F.3d 492 (7th Cir. 2005), a college student commandeered the radio system used by police, fire, ambulance, and other emergency workers in Madison, Wisconsin. The radio system was a Motorola Smartnet II, a sophisticated system that used a computer to host many different communications on a small number of radio frequencies. Mitra had learned how to control the system using a radio transmitter, and he used his transmitter to block the radio system to stop receiving signals. Mitra’s conduct effectively blocked Madison emergency workers from being able to use their radio system and to coordinate emergency responses to incidents in the city.

87

Mitra was charged and convicted of violating 18 U.S.C. § 1030(a)(5), and appealed his conviction on the ground that the Madison radio system was not a “computer” covered by § 1030. In an opinion by Judge Easterbrook, the Seventh Circuit disagreed and affirmed the conviction:

Every cell phone and cell tower is a “computer” under this statute’s definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget. Reading § 1030 to cover all of these, and police radio too, would give the statute wide coverage, which by Mitra’s lights means that Congress cannot have contemplated such breadth.

Well of course Congress did not contemplate or intend this particular application of the statute. But although legislators may not know about [it], they do know that complexity is endemic in the modern world and that each passing year sees new developments. That’s why they write general statutes rather than enacting a list of particular forbidden acts. And it is the statutes they enacted—not the thoughts they did or didn’t have—that courts must apply.

Section 1030 is general. Exclusions show just how general. Subsection (e)(1) carves out automatic typewriters, typesetters, and handheld calculators; this shows that other devices with embedded processors and software are covered. As more devices come to have built-in intelligence, the effective scope of the statute grows. This might prompt Congress to amend the statute but does not authorize the judiciary to give the existing version less coverage than its language portends.

Id. at 495.

The Eighth Circuit offered a similarly broad interpretation of “computer” in United States v. Kramer, 631 F.3d 900 (8th Cir. 2011). In Kramer, the defendant used a Motorola Motorazr V3 cell phone to make voice calls and send text messages in the course of criminal activity. The defendant argued that his cell phone was not a “computer” for purposes of 18 U.S.C. § 1030(e)(1), but the Eighth Circuit disagreed:

The language of 18 U.S.C. § 1030(e)(1) is exceedingly broad. If a device is “an electronic or other high speed data processing device performing logical, arithmetic, or storage functions,” it is a computer. This definition captures any device that makes use of a electronic data processor, examples of which are legion. Accord Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1577 (2010) (“Just think of the common household items that include microchips and electronic storage devices, and thus will satisfy the statutory definition of ‘computer.’ That category can include coffeemakers, microwave 88ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, in addition to more traditional computers like laptops or desktop computers.”). Additionally, each time an electronic processor performs any task—from powering on, to receiving keypad input, to displaying information—it performs logical, arithmetic, or storage functions. These functions are the essence of its operation. See The New Oxford American Dictionary 277 (2d ed. 2005) (defining “central processing unit” as “the part of a computer in which operations are controlled and executed”).

Furthermore, there is nothing in the statutory definition that purports to exclude devices because they lack a connection to the Internet. To be sure, the term computer “does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device.” 18 U.S.C. § 1030(e)(1). But this hardly excludes all non-Internet-enabled devices from the definition of “computer”—indeed, this phrasing would be an odd way to do it. Whatever makes an automated typewriter “similar” to a hand held calculator—the statute provides no further illumination—we find few similarities between those items and a modern cellular phone containing an electronic processor. Therefore we conclude that cellular phones are not excluded by this language.

Id. at 902–03.

For all of the above reasons, misdemeanor liability under § 1030(a)(2) is the broadest kind of criminal liability in the Computer Fraud and Abuse Act.

2.18 U.S.C. § 1030(a)(2) FELONY LIABILITY

Although 18 U.S.C. § 1030(a)(2) violations ordinarily are misdemeanors, they can become more serious felony offenses when one of three circumstances exists:

(i)the offense was committed for purposes of commercial advantage or private financial gain;

(ii)the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

(iii)the value of the information obtained exceeds $5,000.

18 U.S.C. § 1030(c)(2)(B). The following materials consider the meaning of these three enhancements.

United States v. Batti

United States Court of Appeals for the Sixth Circuit, 2011.
631 F.3d 371.

Karen Nelson Moore, Circuit Judge.

Luay Batti was convicted of improperly accessing information from a protected computer, in violation of 18 U.S.C. § 1030(a)(2)(C) and (c)(2)(B)(iii). He appeals the district court’s finding that the value of the information that he obtained exceeded $5,000.

I.

Luay Batti worked in the IT department of Campbell-Ewald, an advertising company in Michigan, for about six years, until he was fired in March 2007. The events leading to his termination began about six months earlier when Batti accessed Campbell-Ewald’s computer server and copied confidential computer files belonging to Campbell-Ewald’s CEO without authorization. Although these files were normally stored on the CEO’s desktop computer, they had been moved by the company to the company’s server while the CEO’s computer was being replaced. Within these files were confidential pieces of information including executive compensation, financial statements of the firm, goals and objectives for senior executives of the company reporting to the chairman, and some strategic plans.

The record does not reveal why Batti retained this information for six months, but, on the evening of February 27, 2007, he went to the office of Campbell-Ewald’s Vice Chairman and General Manager, Joseph Naporano, to talk about the information he had obtained. Batti’s ostensible purpose in approaching Naporano was merely to inform him of the weaknesses in Campbell-Ewald’s computer-security barriers and to complain about the IT department’s management. At this meeting, Batti also gave Naporano a letter in which Batti set out his complaints and a computer disk containing some of the CEO’s files that Batti had copied. The disk also contained video footage that Campbell-Ewald had purchased for use in television commercials for its largest client, General Motors. Soon afterwards, Naporano began to investigate the security weaknesses mentioned by Batti, and, within a few days, Naporano fired Batti for exercising “bad judgment” in accessing and copying the CEO’s files.

About six weeks later, on April 18, 2007, while the security review was still underway, Naporano learned of two websites that contained confidential information regarding Campbell-Ewald and GM, along with emails sent between officials of these two companies. These websites were open to the public for an unknown—yet likely brief—amount of time, but almost immediately after Campbell-Ewald discovered them they became password-protected. Greatly alarmed by what was clearly a breach of the company’s computer-security system, and unaware of exactly how broad 90the breach was, Naporano contacted the police and an IT security firm, who recommended that Naporano contact the FBI.

The FBI determined that Batti had accessed Campbell-Ewald’s confidential files no fewer than twenty-one times after his firing, twice through a Campbell-Ewald server and nineteen times through the email account of another Campbell-Ewald employee, Steve Majoros. The FBI conducted a search of Batti’s home on April 19, 2007. In an interview with the FBI, Batti admitted that he had accessed Campbell-Ewald’s system through its server and Majoros’s webmail. On the latter point, Batti admitted that he had learned Majoros’s username and password in the course of his employment with Campbell-Ewald; although Majoros had slightly altered his password after Batti was fired, Batti was able to guess the new password through trial and error.

Batti was charged with one count, a violation of 18 U.S.C. § 1030(a)(2)(C) and (c)(2)(B)(iii). In the Indictment, the government sought a felony conviction by alleging, pursuant to subsection (B)(iii), that Batti “obtained information valued in excess of $5,000.00.” At a bench trial held on October 28, 2008, the district court heard testimony from FBI Agent Bryan Taube and Naporano regarding Batti’s intrusions. Naporano also testified that Campbell-Ewald paid about $305,000 for the television-commercial footage that Batti accessed and put on the disk that he gave Naporano.

The district court found that the $305,000 amount best represented the value of the information that Batti had obtained in his intrusions; it therefore ruled for the government on the issue of whether the value exceeded $5,000. In coming to this conclusion, the district court noted that there was virtually no case law interpreting how to define or measure the “value of the information obtained,” but it found persuasive cases regarding the value of stolen goods under 18 U.S.C. § 2314. The courts in these cases held that, where a stolen good does not have any readily ascertainable market value, any reasonable method may be used to calculate its value, including the cost of production, research, or design. Accordingly, the district court looked to Campbell-Ewald’s cost of production of the video footage that Batti posted online, which, at approximately $305,000, was well over the $5,000 threshold.

II.

Batti’s challenge to the district court’s conclusion that the value of the information obtained exceeded $5,000 requires an interpretation of 18 U.S.C. § 1030(c)(2)(B)(iii). Section 1030 of Title 18 contains no definition of the term “value,” as used in 18 U.S.C. § 1030(c)(2)(B)(iii), however, and § 1030 does not otherwise indicate how a court should determine whether the “value of the information obtained exceeds $5,000.” 18 U.S.C. § 1030(c)(2)(B)(iii).

91

Batti argues that the district court committed a legal error because he asserts that “there was no evidence that his actions had any impact on the company’s use of these commercials.” Batti Br. at 18. In other words, Batti contends that, because he did not damage the information in any way, the court could not find that the “value of the information obtained” exceeded $5,000. The district court rejected this argument on the ground that the statute does not require that the information obtained lost value as a result of the defendant’s illicit actions. As the district court stated:

There simply is no requirement under the pertinent subsections of § 1030 that Defendant’s unauthorized access must have led to any sort of loss, that the value of the information must have been diminished as a result of his conduct, or that he somehow must have profited from his actions. Rather, the trier of fact—in this case, the Court—is called upon only to determine the value of the information through some appropriate means.

We agree with the district court. The statute here requires only a determination of the “value of the information obtained,” not whether that value decreased. Furthermore, the statute contains specific definitions of the terms “loss” and “damage,” either of which could be said to include an alleged decrease in the value of the video footage obtained by Batti. These terms—“loss” and “damage”—are used in other provisions within § 1030, but not in subsection (c)(2)(B)(iii). Given that the terms “loss” and “damage” encompass the type of decrease in value described by Batti, the absence of these terms in § 1030(c)(2)(B)(iii) supports the conclusion that the “value of the information obtained” bears no relation to whether that value was diminished by the defendant’s actions. We therefore reject Batti’s argument that a diminution in value constitutes the statutory measure.

Batti also argues that the district court should have used the market value of the information, and that there was no ‘market’ available to set a value on the information. We believe there is also no merit in this argument, because, as we explain below, although there may be no readily ascertainable market value for the video footage that Batti obtained, the cost of production of that footage was a permissible basis on which the district court could rely in determining whether the value of the information obtained exceeded $5,000.

Subsection (a)(2)(C) was added to 18 U.S.C. § 1030 in 1996 in order to protect against the interstate or foreign theft of information by computer. In particular, Congress was concerned about the fact that electronically stored information “is intangible, and it has been held that the theft of such information cannot be charged under more traditional criminal statutes such as Interstate Transportation of Stolen Property, 18 U.S.C. § 2314.” S. Rep. No. 104–357 at *7 (citing United States v. Brown, 925 F.2d 1301, 1308 (10th Cir. 1991)). Subsection (a)(2)(C) ensures that the theft of intangible

information by the unauthorized use of a computer is prohibited in the same way theft of physical items are protected.

Regarding the penalties for violations of subsection (a)(2)(C), the Senate Report states that violations involving information of “nominal” or “minimal” value constitute misdemeanors, punishable under § 1030(c)(2)(A). For violations involving “valuable information” and “misusing information in other more serious ways,” however, the felony provision of § 1030(c)(2)(B) applies. Furthermore, Congress identified precisely the types of violations worthy of felony punishment by including within § 1030(c)(2)(B) three preconditions to its application. In order to punish a violation of § 1030(a)(2)(C) as a felony, the government must prove one of the following:

(i)the offense was committed for purposes of commercial advantage or private financial gain;

(ii)the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

(iii)the value of the information obtained exceeds $5,000.

18 U.S.C. § 1030(c)(2)(B)(i)–(iii). The Senate Report notes that the first two of these preconditions derive from the copyright statute, 17 U.S.C. § 506(a), and the wiretap statute, 18 U.S.C. § 2511(1)(d). S. Rep. No. 104–357 at *8. Moreover, these two provisions “are intended to have the same meaning as in those statutes.” Id.

Subsection (iii) is similar to the transporting-stolen-goods statute mentioned by the Senate Report as the inspiration for the 1996 amendment, 18 U.S.C. § 2314, in that both require the “value” of the object of the violation to exceed $5,000. Section 2314 prohibits transport[ing], transmitting, or transferring in interstate or foreign commerce any goods, wares, merchandise, securities or money, of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud. 18 U.S.C. § 2314 (emphasis added). Consequently, given the absence of case law interpreting the term “value” in § 1030(c)(2)(B)(iii), we may consider parallel interpretations of § 2314. We also recognize a key difference between the two statutes: although § 1030 prohibits obtaining information, § 2314 prohibits transporting, transmitting, or transferring proscribed items. Thus, as the Senate Report notes, the crux of the offense under subsection 1030(a)(2)(C) is the abuse of a computer to obtain the information, and actual asportation need not be proved.”

Examination of the definition of “value” in 18 U.S.C. § 2311 reveals that the market value of the stolen good constitutes the primary relevant benchmark for the determination of the value of stolen “goods, wares, merchandise, securities or money” in § 2314. According to § 2311, “ ‘Value’ 93means the face, par, or market value, whichever is the greatest, and the aggregate value of all goods, wares, and merchandise, securities, and money referred to in a single indictment shall constitute the value thereof.” 18 U.S.C. § 2311. Yet when a particular item does not have a readily ascertainable market value, courts have permitted the use of any reasonable method to calculate value, including the cost of production, research, or design.

With this approach in mind, we believe that, where information obtained by a violation of § 1030(c)(2)(B)(iii) does not have a readily ascertainable market value, it is reasonable to use the cost of production as a means to determine the value of the information obtained. The district court here believed that the amount Campbell-Ewald paid for the “spots” or video footage that Batti later obtained could be viewed as the footage’s market value, but the district court also recognized that footage of this type is not sold on a typical retail market. As a result, the district court believed that the amount that Campbell-Ewald paid for the footage could also be viewed as the cost of production for the development of advertisements or commercials.

We see no error in this approach. Section 1030(a)(2)(C) protects, broadly, “information obtained from any protected computer,” and it is often the case, as it was here, that this information is intangible and lacks any easily ascertainable market value. In such circumstances, we approve of the use of “any reasonable method” to determine the value of information obtained by a breach of § 1030(a)(2)(C), whether this determination is being made by the district court in a bench trial or by a jury. We hold that the district court’s use of the cost of production here was a reasonable, and therefore permissible, method by which to determine the value of the information obtained by Batti. We recognize, however, that, given the broad nature of the statute, violations of § 1030(a)(2)(C) may arise in many different contexts. We therefore express no opinion regarding either the propriety of other methods by which to calculate the value of information obtained under 18 U.S.C. § 1030(a)(2)(C) and (c)(2)(B)(iii) or the applicability of the method we approve today to dissimilar factual circumstances.

Notes and Questions

1.Each of the felony enhancements that apply to § 1030(a)(2) violations derives from similar language in other areas of federal criminal law. The requirement of an offense having been “committed for purposes of commercial advantage or private financial gain” was taken from the copyright statutes. See 17 U.S.C. § 506(a)(1)(A) (“Any person who willfully infringes a copyright shall be punished . . . if the infringement was committed . . . for purposes of commercial advantage or private financial gain”).

94

The requirement that an offense be committed “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State” was taken from the wiretap laws. See 18 U.S.C. § 2511(2)(d) (“It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.”).

As the Batti court notes, the requirement that the value of the information obtained must exceed $5,000 resembles the federal statute prohibiting the interstate transportation of stolen property. See 18 U.S.C. § 2314 (providing for punishment of “[w]hoever transports, transmits, or transfers in interstate or foreign commerce any goods, wares, merchandise, securities or money, of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud”).

2.Double-counting and § 1030(a)(2) felonies. The second felony enhancement states that a § 1030(a)(2) crime becomes a felony if “the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” 18 U.S.C. § 1030(c)(2)(B)(ii). This provision creates difficult interpretive questions because there are many “criminal or tortious act[s]” prohibited by laws other than the CFAA that nonetheless overlap substantially with the CFAA. The question is, how much overlap is too much overlap, such that it is improper double-counting to treat a § 1030(a)(2) violation as a felony based on the act being committed “in furtherance of” a law that resembles § 1030(a)(2) itself?

This issue first arose in United States v. Cioni, 649 F.3d 276 (4th Cir. 2011), which involved hacking into a personal e-mail account. Federal criminal law contains two misdemeanor offenses that apply to hacking into an e-mail account. The first, 18 U.S.C. § 2701, specifically prohibits hacking into an e-mail account stored on an ISP’s server. The second, 18 U.S.C. § 1030(a)(2), generally prohibits hacking into any computer, which will always be implicated when a person hacks into an e-mail account. In Cioni, the government tried to harness this overlap to turn a misdemeanors into a felony: It argued that hacking into an e-mail account constitutes a felony on the ground that it is a § 1030(a)(2) violation in furtherance of a § 2701 violation.

The Fourth Circuit rejected this argument in Cioni. According to the Fourth Circuit, the enhancement of § 1030(c)(2)(B)(ii) applies only when the crime furthered is distinct from the underlying § 1030 offense. This narrow construction avoids a “merger” problem that implicates double jeopardy principles by punishing a defendant twice for the same conduct. The Fourth Circuit vacated the felony conviction and ordered the district court to reduce the conviction to a misdemeanor § 1030(a)(2) violation:

If the government had proven that Cioni accessed [the victim’s] e-mail inbox and then used the information from that inbox to access another person’s electronic communications, no merger problem would have arisen. But the government charged and attempted to prove two crimes using the same conduct of attempting, but failing, to access only [the victim’s] e-mail account. This creates a merger problem, implicating double jeopardy principles.

Id. at 283.

Contrast Cioni with United States v. Steele, 595 Fed.Appx. 208 (4th Cir. 2014). In Steele, the defendant used a backdoor account to access confidential business documents stored on the computers of his former corporate employer. The defendant was convicted of a felony version of § 1030(a)(2)(C) on the ground that his unauthorized access had been in furtherance of theft of the valuable documents in violation of Virginia’s grand larceny statute. On appeal, Steele argued that the felony enhancement was improper under Cioni. The Fourth Circuit distinguished Cioni and affirmed the felony conviction:

Steele contends that his conduct of accessing protected computers improperly supported both a violation of § 1030(a)(2)(C) and the accompanying felony enhancement under Va. Code Ann. section 18.2–95. We disagree. Primarily, proof of § 1030(a)(2)(C) requires only that the defendant read or observe data; actual asportation need not be proved. The Virginia statute, on the other hand, criminalizes grand larceny, which by definition requires proof of an actual taking.

In this case, Special Agent Etienne, who investigated Steele’s conduct, testified that the FBI recovered evidence that Steele not only accessed emails and bid documents but actively downloaded them and saved them to multiple hard drives connected to his personal computer. In addition, the government provided the jury with a summary chart of the charges against Steele, listing specific documents supporting those charges, the value associated with those documents, and the location where they were found on Steele’s computer hard drives. Through this evidence, the government was able to show that Steele’s conduct included not simply reading or observing protected information but also downloading (“taking”) that information.

In sum, because the government used different conduct to prove the two offenses, Steele’s felony convictions for violating the CFAA do not raise the double jeopardy concerns implicated by Cioni.

Id. at 214.

Did Steele persuasively apply Cioni? Recall that § 1030(a)(2)(C) requires obtaining information, which the legislative history says is satisfied by observing it. What is the difference between merely “obtaining” or “observing” information (covered by § 1030(a)(2)(C)) and actually “taking” or “downloading” that information (covered by the Virginia grand larceny 96statute)? Observing information over a remote network requires transmitting a copy so that it can be observed by the remote viewer. How is that different from “downloading” it? Is information not stolen for purposes of a larceny statute unless it is permanently saved?

United States v. Auernheimer, 2012 WL 5389142 (D.N.J. 2012), vacated on other grounds, 748 F.3d 525 (3d Cir. 2014), raised an interesting variation on the problem. Every state has a CFAA-equivalent criminal law that prohibits unauthorized access to a computer at the state level. In Auernheimer, the government argued that a misdemeanor violation of § 1030(a)(2) becomes a felony under § 1030(c)(2)(B)(ii) if the act also violates the state unauthorized access law. In that instance, the government argued, the offense becomes a federal unauthorized access crime in furtherance of a state unauthorized access crime. The district court agreed, at least when the state unauthorized access includes an extra element that § 1030(a)(2) does not have:

Although there is an overlap of facts for the first two elements of each offense, N.J.S.A. 2C:20–31(a) requires the additional component that defendant “knowingly or recklessly discloses or causes to be disclosed any data . . . or personal identifying information.” Hence, an essential N.J.S.A. 2C:20–31(a) element requires proof of conduct not required for a CFAA offense

2012 WL 5389142 at *4.

On appeal, Auernheimer argued that the district court was mistaken because the key question was whether the government had charged two different acts, not two different statutes. Otherwise, mere overlap with analogous state unauthorized access statutes would transform every § 1030(a)(2) misdemeanor into a felony. The Third Circuit vacated the defendant’s conviction on venue grounds without reaching the felony enhancement issue. If the Third Circuit had reached the issue, how should it have ruled?

3.18 U.S.C. § 1030 and repeat offenders. The scope of liability under 18 U.S.C. § 1030 sometimes depends on whether a defendant has a prior conviction under the statute. As a practical matter, this issue arises only rarely. But misdemeanor offenses under the various sections of § 1030 can become felonies if a particular defendant has a prior conviction for violating or attempting to violate § 1030. Further, felony violations can become more serious felony offenses when a defendant has a prior § 1030 conviction. See 18 U.S.C. § 1030(c)(1)(B), § 1030(c)(2)(B)(iii), § 1030(c)(3)(B), § 1030(c)(4)(C)(i), and § 1030(c)(4)(D)(i).

4.The forgotten 18 U.S.C. § 1030(a)(3). Although § 1030(a)(2) gets a lot of attention, it is worth pausing for a moment to consider its rarely-used neighbor, § 1030(a)(3). This section states that it is a crime if a person:

intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for 97the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States.

Violations of § 1030(a)(3) are misdemeanors unless the defendant has a prior conviction under § 1030. If the defendant has a prior conviction, the crime is a felony punishable by up to ten years in prison. See 18 U.S.C. § 1030(c)(2)(C).

Section 1030(a)(3) is different from § 1030(a)(2) in a number of ways. First, § 1030(a)(3) applies only to access into United States government computers. Second, it is a simple trespass statute; there is no requirement that any information be obtained by the defendant. Third, the basic prohibition is limited to “access without authorization,” whereas § 1030(a)(2) includes both a defendant who “accessed without authorization” and a defendant who “exceeds authorized access.” As we will see, the precise distinction between access without authorization and exceeding authorized access can be difficult to follow. But the limitation of § 1030(a)(3) reflects a design for the statute to reach only a limited class of cases.

The Senate Report that accompanied the enactment of the modern version of 18 U.S.C. § 1030(a)(3) included the following discussion of its scope:

It applies to acts of simple trespass against computers belonging to, or being used by or for, the Federal Government. The Department of Justice and others have expressed concerns about whether the present subsection covers acts of mere trespass, i.e., unauthorized access, or whether it requires a further showing that the information perused was “used, modified, destroyed, or disclosed.” To alleviate those concerns, the Committee wants to make clear that the new subsection will be a simple trespass offense, applicable to persons without authorized access to Federal computers.

S.Rep. 99–432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2484.

18 U.S.C. § 1030(a)(3) is largely forgotten today because it has been eclipsed by 18 U.S.C. § 1030(a)(2). In 1984, when both provisions were first enacted, § 1030(a)(2) was exceedingly narrow: It applied only to financial records held by financial institutions and consumer files held by consumer reporting agencies. See Pub. L. 98–473, § 2102 (1984). Over time, however, § 1030(a)(2) has expanded dramatically. Today, § 1030(a)(2) is so broad that it covers most conduct that could be prosecuted under § 1030(a)(3).

E.18 U.S.C. § 1030(a)(4) AND COMPUTER FRAUD STATUTES

Computer fraud statutes are hybrids between unauthorized access statutes and fraud statutes. The federal computer fraud statute is 18 U.S.C. § 1030(a)(4). It punishes whoever:

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any one-year period.

All § 1030(a)(4) crimes are felonies; the maximum punishment is 5 years for the first offense, and 10 years if the defendant has a prior § 1030 conviction. See 18 U.S.C. § 1030(c)(3).

The hybrid status of § 1030(a)(4) is readily apparent from its text. On one hand, it clearly is closely related to § 1030(a)(2). The basic prohibition on accessing a protected computer without authorization or exceeding authorized access is shared between the two. On the other hand, the prohibition is also similar to the wire fraud statute, 18 U.S.C. § 1343. The wire fraud statute punishes whoever,

having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice.

Section 1030(a)(4) puts the two basic concepts together. It combines the intent to defraud and obtaining of anything of value from the wire fraud statute and matches it with the actus reus of accessing a protected computer without authorization or exceeding authorized access from § 1030(a)(2). The hybrid status raises interesting questions about why § 1030(a)(4) exists. Just what does it punish that the combination of § 1030(a)(2) and the wire fraud statute does not?

The difference between unauthorized access statutes, wire fraud statutes, and computer fraud statutes was explored in the Senate Report that accompanied the enactment of § 1030(a)(4):

The new subsection 1030(a)(4) to be created by this bill is designed to penalize thefts of property via computer that occur as part of a scheme to defraud. It will require a showing that the use of the computer or computers in question was integral to the intended fraud and was not merely incidental. It has been suggested that the Committee approach all computer fraud in a manner that directly tracks the existing mail fraud and wire fraud statutes. However, the Committee was concerned that such an approach might permit prosecution under this subsection of acts that do not deserve classification as “computer fraud.”

99

The Committee was concerned that computer usage that is wholly extraneous to an intended fraud might nevertheless be covered by this subsection if the subsection were patterned directly after the current mail fraud and wire fraud laws. If it were so patterned, the subsection might be construed as covering an individual who had devised a scheme or artifice to defraud solely because he used a computer to keep records or to add up his potential “take” from the crime.

The Committee does not believe that a scheme or artifice to defraud should fall under the ambit of subsection (a)(4) merely because the offender signed onto a computer at some point near to the commission or execution of the fraud. While such a tenuous link might be covered under current law where the instrumentality used is the mails or the wires, the Committee does not consider that link sufficient with respect to computers. To be prosecuted under this subsection, the use of the computer must be more directly linked to the intended fraud. That is, it must be used by an offender without authorization or in excess of his authorization to obtain property of another, which property furthers the intended fraud. Likewise, this subsection may be triggered by conduct that can be shown to constitute an attempted offense.

This approach is designed, in part, to help distinguish between acts of theft via computer and acts of computer trespass. In intentionally trespassing into someone else’s computer files, the offender obtains at the very least information as to how to break into that computer system. If that is all he obtains, the offense should properly be treated as a simple trespass. But because the offender has obtained the small bit of information needed to get into the computer system, the danger exists that his and every other computer trespass could be treated as a theft, punishable as a felony under this subsection.

The Committee remains convinced that there must be a clear distinction between computer theft, punishable as a felony, and computer trespass, punishable in the first instance as a misdemeanor. The element in the new paragraph (a)(4), requiring a showing of an intent to defraud, is meant to preserve that distinction, as is the requirement that the property wrongfully obtained via computer furthers the intended fraud.

2488. Rep. No. 99–432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2488.

100

United States v. Czubinski

United States Court of Appeals for the First Circuit, 1997.
106 F.3d 1069.

Torruella, Chief Judge.

Defendant-appellant Richard Czubinski appeals his jury conviction on nine counts of wire fraud, and four counts of computer fraud, 18 U.S.C. § 1030(a)(4). The wire fraud and computer fraud prosecution that led to the conviction survived serious challenges put forward by Czubinski in various pre-trial motions. Given the broad scope of the federal fraud statutes, motions charging insufficient pleadings or selective prosecution generally deserve careful consideration. We need not scrutinize the lower court’s rejection of the defendant’s arguments in favor of dismissing the indictment, however, because we reverse the conviction on the clearer ground that the trial evidence mustered by the government was insufficient to support a guilty verdict, and hold that the defendant’s motion for judgment of acquittal should have been granted on all counts. Unauthorized browsing of taxpayer files, although certainly inappropriate conduct, cannot, without more, sustain this federal felony conviction.

Background

For all periods relevant to the acts giving rise to his conviction, the defendant Czubinski was employed as a Contact Representative in the Boston office of the Taxpayer Services Division of the Internal Revenue Service. To perform his official duties, which mainly involved answering questions from taxpayers regarding their returns, Czubinski routinely accessed information from one of the IRS’s computer systems known as the Integrated Data Retrieval System (“IDRS”). Using a valid password given to Contact Representatives, certain search codes, and taxpayer social security numbers, Czubinski was able to retrieve, to his terminal screen in Boston, income tax return information regarding virtually any taxpayer—information that is permanently stored in the IDRS “master file” located in Martinsburg, West Virginia. In the period of Czubinski’s employ, IRS rules plainly stated that employees with passwords and access codes were not permitted to access files on IDRS outside of the course of their official duties.¹

In 1992, Czubinski carried out numerous unauthorized searches of IDRS files. He knowingly disregarded IRS rules by looking at confidential information obtained by performing computer searches that were outside

of the scope of his duties as a Contact Representative, including, but not limited to, the searches listed in the indictment. Audit trails performed by internal IRS auditors establish that Czubinski frequently made unauthorized accesses on IDRS in 1992. For example, Czubinski accessed information regarding: the tax returns of two individuals involved in the David Duke presidential campaign; the joint tax return of an assistant district attorney (who had been prosecuting Czubinski’s father on an unrelated felony offense) and his wife; the tax return of Boston City Counselor Jim Kelly’s Campaign Committee (Kelly had defeated Czubinski in the previous election for the Counselor seat for District 2); the tax return of one of his brothers’ instructors; the joint tax return of a Boston Housing Authority police officer, who was involved in a community organization with one of Czubinski’s brothers, and the officer’s wife; and the tax return of a woman Czubinski had dated a few times. Czubinski also accessed the files of various other social acquaintances by performing unauthorized searches.

Nothing in the record indicates that Czubinski did anything more than knowingly disregard IRS rules by observing the confidential information he accessed. No evidence suggests, nor does the government contend, that Czubinski disclosed the confidential information he accessed to any third parties. The government’s only evidence demonstrating any intent to use the confidential information for nefarious ends was the trial testimony of William A. Murray, an acquaintance of Czubinski who briefly participated in Czubinski’s local Invisible Knights of the Ku Klux Klan chapter and worked with him on the David Duke campaign. Murray testified that Czubinski had once stated at a social gathering in “early 1992” that “he intended to use some of that information to build dossiers on people” involved in “the white supremacist movement.” There is, however, no evidence that Czubinski created dossiers, took steps toward making dossiers (such as by printing out or recording the information he browsed), or shared any of the information he accessed in the years following the single comment to Murray. No other witness testified to having any knowledge of Czubinski’s alleged intent to create “dossiers” on KKK members.

The record shows that Czubinski did not perform any unauthorized searches after 1992. He continued to be employed as a Contact Representative until June 1995, when a grand jury returned an indictment against him on ten counts of federal wire fraud under 18 U.S.C. §§ 1343, 1346, and four counts of federal interest computer fraud under 18 U.S.C. § 1030(a)(4).

The portion of the indictment alleging wire fraud states that Czubinski defrauded the IRS of confidential property by using his valid password to acquire confidential taxpayer information as part of a scheme to: 1) build “dossiers” on associates in the KKK; 2) seek information regarding an 102assistant district attorney who was then prosecuting Czubinski’s father on an unrelated criminal charge; and 3) perform opposition research by inspecting the records of a political opponent in the race for a Boston City Councilor seat. The wire fraud indictment, therefore, articulated particular personal ends to which the unauthorized access to confidential information through interstate wires was allegedly a means.

The portion of the indictment setting forth the computer fraud charges stated that Czubinski obtained something of value, beyond the mere unauthorized use of a federal interest computer, by performing certain searches—searches representing a subset of those making up the mail fraud counts.

Discussion

I.The Wire Fraud Counts

To support a conviction for wire fraud, the government must prove two elements beyond a reasonable doubt: (1) the defendant’s knowing and willing participation in a scheme or artifice to defraud with the specific intent to defraud, and (2) the use of interstate wire communications in furtherance of the scheme. Although defendant’s motion for judgment of acquittal places emphasis on shortcomings in proof with regard to the second element, by arguing that the wire transmissions at issue were not proved to be interstate, we find the first element dispositive and hold that the government failed to prove beyond a reasonable doubt that the defendant willfully participated in a scheme to defraud within the meaning of the wire fraud statute.

The government correctly notes that confidential information may constitute intangible “property” and that its unauthorized dissemination or other use may deprive the owner of its property rights. See Carpenter v. United States, 484 U.S. 19, 26 (1987). Where such deprivation is effected through dishonest or deceitful means, a “scheme to defraud,” within the meaning of the wire fraud statute, is shown. Thus, a necessary step toward satisfying the “scheme to defraud” element in this context is showing that the defendant intended to “deprive” another of their protected right.

The government, however, provides no case in support of its contention here that merely accessing confidential information, without doing, or clearly intending to do, more, is tantamount to a deprivation of IRS property under the wire fraud statute. In Carpenter, for example, the confidential information regarding the contents of a newspaper column was converted to the defendants’s use to their substantial benefit. See id. at 27 (defendants participated in “ongoing scheme to share profit from trading in anticipation” of newspaper column). We do not think that Czubinski’s unauthorized browsing, even if done with the intent to deceive the IRS into thinking he was performing only authorized searches, constitutes a “deprivation” within the meaning of the federal fraud statutes.

103

Binding precedents, and good sense, support the conclusion that to “deprive” a person of their intangible property interest in confidential information under section 1343, either some articulable harm must befall the holder of the information as a result of the defendant’s activities, or some gainful use must be intended by the person accessing the information, whether or not this use is profitable in the economic sense. Here, neither the taking of the IRS’ right to “exclusive use” of the confidential information, nor Czubinski’s gain from access to the information, can be shown absent evidence of his “use” of the information. Accordingly, without evidence that Czubinski used or intended to use the taxpayer information (beyond mere browsing), an intent to deprive cannot be proven, and, a fortiori, a scheme to defraud, is not shown.

All of the cases cited by the government in support of their contention that the confidentiality breached by Czubinski’s search in itself constitutes a deprivation of property in fact support our holding today, for they all involve, at a minimum, a finding of a further intended use of the confidential information accessed by the defendants. The government’s best support comes from United States v. Seidlitz, 589 F.2d 152, 160 (4th Cir. 1978), in which a former employee of a computer systems firm secretly accessed its files, but never was shown to have sold or used the data he accessed, and was nevertheless convicted of wire fraud. The affirming Fourth Circuit held, however, that a jury could have reasonably found that, at the time the defendant raided a competitor’s computer system, he intended to retrieve information that would be helpful for his own start-up, competing computer firm. In the instant case, Czubinski did indeed access confidential information through fraudulent pretenses—he appeared to be performing his duties when in fact he used IRS passwords to perform unauthorized searches. Nevertheless, it was not proven that he intended to deprive the IRS of their property interest through either disclosure or use of that information.

The resolution of the instant case is complex because it is well-established that to be convicted of mail or wire fraud, the defendant need not successfully carry out an intended scheme to defraud. The government does not contend either that Czubinski actually created dossiers or that he accomplished some other end through use of the information. It need not do so. All that the government was required to prove was the intent to follow through with a deprivation of the IRS’s property and the use or foreseeable use of interstate wire transmissions pursuant to the accomplishment of the scheme to defraud. In the case at bar, the government failed to make even this showing.

The fatal flaw in the government’s case is that it has not shown beyond a reasonable doubt that Czubinski intended to carry out a scheme to deprive the IRS of its property interest in confidential information. Had there been sufficient proof that Czubinski intended either to create dossiers

for the sake of advancing personal causes or to disseminate confidential information to third parties, then his actions in searching files could arguably be said to be a step in furtherance of a scheme to deprive the IRS of its property interest in confidential information.

Mere browsing of the records of people about whom one might have a particular interest, although reprehensible, is not enough to sustain a wire fraud conviction on a “deprivation of intangible property” theory. Curiosity on the part of an IRS officer may lead to dismissal, but curiosity alone will not sustain a finding of participation in a felonious criminal scheme to deprive the IRS of its property.

II.The Computer Fraud Counts

Czubinski was convicted on all four of the computer fraud counts on which he was indicted; these counts arise out of unauthorized searches that also formed the basis of four of the ten wire fraud counts in the indictment. Specifically, he was convicted of violating 18 U.S.C. § 1030(a)(4), a provision enacted in the Computer Fraud and Abuse Act of 1986. Section 1030(a)(4) applies to:

whoever . . . knowingly and with intent to defraud, accesses a Federal interest computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer.

We have never before addressed section 1030(a)(4). Czubinski unquestionably exceeded authorized access to a Federal interest computer. On appeal he argues that he did not obtain “anything of value.” We agree, finding that his searches of taxpayer return information did not satisfy the statutory requirement that he obtain “anything of value.” The value of information is relative to one’s needs and objectives; here, the government had to show that the information was valuable to Czubinski in light of a fraudulent scheme. The government failed, however, to prove that Czubinski intended anything more than to satisfy idle curiosity.

The plain language of section 1030(a)(4) emphasizes that more than mere unauthorized use is required: the “thing obtained” may not merely be the unauthorized use. It is the showing of some additional end—to which the unauthorized access is a means—that is lacking here. The evidence did not show that Czubinski’s end was anything more than to satisfy his curiosity by viewing information about friends, acquaintances, and political rivals. No evidence suggests that he printed out, recorded, or used the information he browsed. No rational jury could conclude beyond a reasonable doubt that Czubinski intended to use or disclose that 105information, and merely viewing information cannot be deemed the same as obtaining something of value for the purposes of this statute.¹⁵

The legislative history further supports our reading of the term “anything of value.” In the game of statutory interpretation, statutory language is the ultimate trump card, and the remarks of sponsors of legislation are authoritative only to the extent that they are compatible with the plain language of section 1030(a)(4). Here, a Senate co-sponsor’s comments suggest that Congress intended section 1030(a)(4) to punish attempts to steal valuable data, and did not wish to punish mere unauthorized access:

The acts of fraud we are addressing in proposed section 1030(a)(4) are essentially thefts in which someone uses a federal interest computer to wrongly obtain something of value from another. . . Proposed section 1030(a)(4) is intended to reflect the distinction between the theft of information, a felony, and mere unauthorized access, a misdemeanor.

132 Cong. Rec. 7128, 7129, 99th Cong., 2d. Sess. (1986). The Senate Committee Report further underscores the fact that this section should apply to those who steal information through unauthorized access as part of an illegal scheme:

The Committee remains convinced that there must be a clear distinction between computer theft, punishable as a felony [under section 1030(a)(4)], and computer trespass, punishable in the first instance as a misdemeanor [under a different provision]. The element in the new paragraph (a)(4), requiring a showing of an intent to defraud, is meant to preserve that distinction, as is the requirement that the property wrongfully obtained via computer furthers the intended fraud.

2488. Rep. No. 432, 99th Cong., 2d Sess., reprinted in 1986 U.S.C.C.A.N. 2479, 2488. For the same reasons we deemed the trial evidence could not support a finding that Czubinski deprived the IRS of its property, see discussion of wire fraud under section 1343 supra, we find that Czubinski has not obtained valuable information in furtherance of a fraudulent scheme for the purposes of section 1030(a)(4).

106

Conclusion

We add a cautionary note. The broad language of the mail and wire fraud statutes are both their blessing and their curse. They can address new forms of serious crime that fail to fall within more specific legislation. On the other hand, they might be used to prosecute kinds of behavior that, albeit offensive to the morals or aesthetics of federal prosecutors, cannot reasonably be expected by the instigators to form the basis of a federal felony. The case at bar falls within the latter category. Also discomforting is the prosecution’s insistence, before trial, on the admission of inflammatory evidence regarding the defendant’s membership in white supremacist groups purportedly as a means to prove a scheme to defraud, when, on appeal, it argues that unauthorized access in itself is a sufficient ground for conviction on all counts. Finally, we caution that the wire fraud statute must not serve as a vehicle for prosecuting only those citizens whose views run against the tide, no matter how incorrect or uncivilized such views are.

Notes and Questions

1.Comparing § 1030(a)(4) and § 1030(a)(2). Consider the key differences between computer fraud and basic unauthorized access. Czubinski and the legislative history of § 1030 instruct that the most basic difference is that the unauthorized access and retrieval of information in a case of computer fraud is part of a broader scheme that harms the victim in an appreciable way. Absent such a broader scheme to harm the victim, the crime is mere trespass, a misdemeanor unauthorized access violation under § 1030(a)(2). Was Czubinski guilty of violating 18 U.S.C. § 1030(a)(2)(B)? If he was, why did the government charge Czubinski under § 1030(a)(4) instead? (Hint: Think of the penalties.)

With that said, the felony provisions of § 1030(a)(2) create a great deal of overlap with § 1030(a)(4). Felony liability under § 1030(a)(2) is triggered if the offense was committed “for purposes of commercial advantage or private financial gain,” the offense was committed “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State,” or the value of the information obtained exceeds $5,000. 18 U.S.C. § 1030(c)(2). How different is this from Czubinski’s requirement of a broader scheme to harm the victim? To the extent there is a difference, which is a better approach?

2.Comparing § 1030(a)(4) and § 1343. Note the basic differences between the computer fraud statute and the wire fraud statute. The actus reus of computer fraud is accessing a computer without authorization or exceeding authorized access, while the actus reus of wire fraud is transmitting a wire, radio, or television communication across state or national boundaries. In effect, the unauthorized access to a computer replaces the interstate requirement. The computer fraud statute also requires that the actus reus

must further the fraud, while the wire fraud statute does not. Further, the computer fraud statute specifies that “use of the computer” cannot be the object of value fraudulently obtained if “the value of such use is not more than $5,000 in any one-year period,” while the wire fraud statute contains no analogous limitation.

The limitation on use of a computer as an object obtained under the computer fraud statute is largely a leftover from the economics of computer usage in the 1980s. At that time, computers were rare and computer usage often had considerable economic value. Unauthorized access to a computer per se could impose costs on the computer’s owner. The legislative history of § 1030(a)(4) suggests that the limitation on computer use as an object of value was designed to distinguish computer fraud from unauthorized access:

The mere use of a computer or computer service has a value all its own. Mere trespasses onto someone else’s computer system can cost the system provider a “port” or access channel that he might otherwise be making available for a fee to an authorized user. At the same time, the Committee believes it is important to distinguish clearly between acts of fraud under (a)(4), punishable as felonies, and acts of simple trespass, punishable in the first instance as misdemeanors. That distinction would be wiped out were the Committee to treat every trespass as an attempt to defraud a service provider of computer time. One simply cannot trespass into another’s computer without occupying a portion of the time that that computer service is available. Thus, that suggested approach would treat every act of unauthorized entry to a Federal interest computer—no matter how brief—as an act of fraud, punishable at the felony level. The Committee does not believe this is a proper approach to this problem. For that reason, the Committee has excluded from coverage under this subsection those instances where “the object of the fraud and the thing obtained consists only of the use of the computer.”

2488. Rep. No. 99–432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2488. Note that the requirement of $5,000 applies only in the now-extremely rare case that the use of the computer is the property taken. In the general case, § 1030(a)(4) does not impose a requirement that $5,000 of property must be obtained.

Related Samples