United States v. Morris | |
---|---|
Court | United States Court of Appeals for the Second Circuit |
Full case name | United States v. Robert Tappan Morris |
Argued | December 4 1990 |
Decided | March 7 1991 |
Citation(s) | 928 F.2d 504 |
Holding | |
The Government does not need to prove that the defendant intentionally prevented use of federal interest computers, thereby causing loss. Furthermore, Morris acted "without authorization" according to section (a)(5)(A). The decision is therefore affirmed. | |
Court membership | |
Judge(s) sitting | Jon Newman, Ralph Winter, T.F. Daly |
Case opinions | |
Majority | Jon O. Newman |
Laws applied | |
18 U.S.C. § 1030(a)(5)(A) |
United States v. Morris was an appeal of the conviction of Robert Tappan Morris for creating and releasing the Morris worm, one of the first Internet-based worms. This case resulted in the first conviction under the Computer Fraud and Abuse Act. In the process, the dispute clarified much of the language used in the law, which had been heavily revised in a number of updates passed in the years after its initial drafting. Also clarified was the concept of "unauthorized access," which is central in the United States' computer security laws. [1] The decision was the first by a U.S. court to refer to "the Internet", [2] which it described simply as "a national computer network." [1]
Robert Tappan Morris was a Cornell student, who began work in 1988 on an early Internet worm. He had been given explicit access to a Cornell computer account upon entering the school, and used this access to develop his worm. Morris released the worm from MIT, in an attempt to disguise its source. The worm spread through four mechanisms: [3]
The worm was designed so that it would not spread to computers that it had already infected. To prevent computers from defending against this by pretending to have the worm, however, it would still infect an already infected computer one out of seven times. The worm was also designed so that it would be erased when an infected computer was shut down, thus preventing multiple infections from becoming problematic. Morris' underestimation of the rate of reinfection causing this safeguard to be ineffective, and "tens of thousands" of computers were rendered catatonic by repeated infections. [3] [4] It was estimated that between $200 and $53,000 was required per infected facility to clean up after the worm. [3]
Morris was found guilty by the United States District Court for the Northern District of New York of violating 18 U.S.C. 1030(a)(5)(A), sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the cost of his supervision. [3]
Legal discourse took place on three main issues: whether Morris had to have intended to cause damage, whether Morris really had gained unauthorized access, and whether the District Court had properly informed the jury of the subtleties of the case.
As it read in 1991, 18 U.S.C. § 1030(a)(5)(A), part of the Computer Fraud and Abuse Act, covered anyone who: [3]
(5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby
(A) causes loss to one or more others of a value aggregating $1,000 or more during any one-year period;
Morris argued that this did not apply to him, as the Government could not conclusively prove that he had intended to cause damage to a Federal interest computer. Federal interest computers are defined as any that participate in national or international commerce, or that are used in a federal or governmental institution. [5] The Government disagreed, stating that since a comma separated the "intentionally" phrase from the rest of the section, it did not necessarily apply. This use of punctuation to separate adverbs has precedents in Burlington No. R. Co. v. Okla. Tax Comm'n and Consumer Product Safety Comm'n v. GTE Sylvania, Inc. [6]
The court also took into consideration the language used in previous versions of the law to determine the intent of Congress. In the 1986 amendment to the law, section 1030(a)(2) had its mental state requirement changed from "knowingly" to "intentionally." This was done in order to disallow purposeful unauthorized access, not "mistaken, inadvertent, or careless" acts. [7] The court reasoned that since this "intentionally" phrase was inserted into the law in order to avoid punishing users that had accidentally accessed a computer they did not have authorization to, it applied strictly to the "accesses" clause, not the "damages" one. There is no evidence that Congress intended to make it legal to accidentally damage another computer, therefore the "intentionally" specification was not made there. Additionally, the Government suggested that many other subsections of 1030, specifically (a)(1), continue to repeat the mental state requirement before each clause, indicating that the lack of such repetition in (a)(5)(A) is indicative of the short reach of the "intentionally" adverb. [8]
To contest this claim, Morris cited a different section of the Senate Report: "[t]he new subsection 1030(a)(5) to be created by the bill is designed to penalize those who intentionally alter, damage, or destroy certain computerized data belonging to another." [9] The court however, found the Government's evidence of the changing language of the statute to be more convincing. [8]
Morris argued that, since he was given access to computers at Cornell, Harvard, and Berkeley, by releasing the worm he had simply exceeded authorized access, not gained unauthorized access. For this reason, he theorized that section (a)(3), not (a)(5)(A), properly covered him. [10] This defense is based in another section of the Senate report, which stated that the Computer Fraud and Abuse Act would be aimed at "outsiders" (people not authorized to use federal interest computers). [9] Because Morris did have access to computers of this nature, he stated that his actions were not completely unauthorized. However, the aforementioned Senate report also states that the law applies "where the offender's act of trespass is interdepartmental in nature." The court reasoned that since Morris' worm reached computers spanning U.S. government departments, including military ones, [4] 18 U.S.C. 1030 properly applied to him.
The court also pointed out that since Morris used the sendmail and finger programs in a way they were not intended to be used, his "exceeded authorization" defense was further weakened. Since Morris only used these programs because they had security holes he could exploit to gain access to computers he could not otherwise access, this use exemplifies "unauthorized access". The fact that the worm guessed passwords to break into other systems further highlights this point. [10]
Morris claimed that the District Court improperly educated the jury on the specifics of his case. First, he complained that the District Court had not provided a definition of "authorization" to the jury. The Court had stated that "authorization" was of common usage and not required to be defined. The Appellate Court in this case agreed, citing precedent. [11] Morris also contended that the District Court wrongly did not instruct the jury on "exceeding authorized access" using his proposed definition. Again, the Appellate Court agreed with the District Court's decision, stating that extra definition would be potentially confusing, and that Morris's proposed instruction was incorrect. Additionally, the term "exceeding authorized access" implies that it is less serious than "unauthorized access," but even if this was the case, Morris was liable under many parts of the Computer Fraud and Abuse Act. [10]
The US Court of Appeals, Second Circuit affirmed the decision of the lower District Court, in which Morris was found guilty of violating 18 U.S.C. 1030(a)(5)(A), which is a felony. [1]
In 1996 the Computer Fraud and Abuse Act was amended again to clarify the intent problems that made up the majority of U.S. v. Morris. The adverbs "knowingly" and "intentionally" were inserted in more places in the statute, in an attempt to make litigation with the law simpler in the future. [12]
This case affirmed the strength of the Computer Fraud and Abuse Act. [13] Prior to this decision, it had been assumed that the Act required intent to cause damage - which was thought to be very hard to prove. [13] The ruling here demonstrated that this was not the case.
The Morris worm or Internet worm of November 2, 1988, was one of the oldest computer worms distributed via the Internet, and the first to gain significant mainstream media attention. It also resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act. It was written by a graduate student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988, from the computer systems of the Massachusetts Institute of Technology.
Robert Tappan Morris is an American computer scientist and entrepreneur. He is best known for creating the Morris worm in 1988, considered the first computer worm on the Internet.
The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. The law prohibits accessing a computer without authorization, or in excess of authorization. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.
Computer fraud is a cybercrime and the act of using a computer to take or alter electronic data, or to gain unlawful use of a computer or system. In the United States, computer fraud is specifically proscribed by the Computer Fraud and Abuse Act, which criminalizes computer-related acts under federal jurisdiction.
Computer trespass is a computer crime in the United States involving unlawful access to computers. It is defined under the Computer Fraud and Abuse act.
Protected computers is a term used in Title 18, Section 1030 of the United States Code, which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers". The statute, as amended by the National Information Infrastructure Protection Act of 1996, defines "protected computers" as:
a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
The National Information Infrastructure Protection Act was Title II of the Economic Espionage Act of 1996, as an amendment to the Computer Fraud and Abuse Act.
United States v. Drew, 259 F.R.D. 449, was an American federal criminal case in which the U.S. government charged Lori Drew with violations of the Computer Fraud and Abuse Act (CFAA) over her alleged cyberbullying of her 13-year-old neighbor, Megan Meier, who had committed suicide. The jury deadlocked on a felony conspiracy count and acquitted Drew of three felony CFAA violations, but found her guilty of lesser included misdemeanor violations; the judge overturned these convictions in response to a subsequent motion for acquittal by Drew.
In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 ("DoubleClick"), had Internet users initiate proceedings against DoubleClick, alleging that DoubleClick's placement of web cookies on computer hard drives of Internet users who accessed DoubleClick-affiliated web sites constituted violations of three federal laws: The Stored Communications Act, the Wiretap Statute and the Computer Fraud and Abuse Act.
LVRC Holdings v. Brekka 581 F.3d 1127, 1135 is a Ninth Circuit Court of Appeals Decision that deals with the scope of the concept of "authorization" in the Computer Fraud and Abuse Act. The major finding of this case is that even if an employee accesses a computer for an improper purpose, such as one that violates the duty of loyalty to their employer, the employee remains authorized to access the computer until the employer revokes the employee's access. The findings of this case were upheld by another Ninth Circuit decision in United States v. Nosal, 676 F.3d 854 and are the current law in this circuit.
United States v. Nosal, 676 F.3d 854 was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies—if they are authorized to access the computer and do not circumvent any protection mechanisms.
United States of America v. Ancheta is the name of a lawsuit against Jeanson James Ancheta of Downey, California by the U.S. Government and was handled by the United States District Court for the Central District of California. This is the first botnet related prosecution in U.S history.
In United States v. John, 597 F.3d 263 (2010) United States Court of Appeals for the Fifth Circuit interpreted the term "exceeds authorized access" in the Computer Fraud and Abuse Act 18 U.S.C. §1030(e)(6) and concluded that access to a computer may be exceeded if the purposes for which access has been given are exceeded.
In International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit Court of Appeals evaluated the dismissal of the plaintiffs' lawsuit for failure to state a claim based upon the interpretation of the word "transmission" in the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Jacob Citrin had been employed by IAC, who had lent him a laptop for use while under their employment. Upon leaving IAC, he deleted the data on the laptop before returning it to IAC. The Court of Appeals decided to reverse the decision and reinstated IAC's lawsuit.
United States v. Morris may refer to:
Lee v. PMSI, Inc., No. 10-2094, was a case in the United States District Court for the Middle District of Florida about whether the Computer Fraud and Abuse Act (CFAA) makes it illegal for an employee to violate an employer's acceptable use policy. The court ruled that violating an employer's policy did not "exceed authorization" as defined by the CFAA and was not illegal under the act.
Pulte Homes, Inc. v. Laborers' International Union of North America, 648 F.3d 295, is a Sixth Circuit Court of Appeals case that reinstated a Computer Fraud and Abuse Act ("CFAA") claim brought by an employer against a labor union for "bombarding" the company's phone and computer systems with emails and voicemail, making it impossible for the company to communicate with customers. It held that causing a transmission that diminishes a plaintiff's ability to use its systems and data constitutes "causing damage" in violation of the CFAA.
United States v. Kane, No 11-mj-00001, is a court case where a software bug in a video poker machine was exploited to win several hundred thousand dollars. Central to the case was whether a video poker machine constituted a protected computer and whether the exploitation of a software bug constituted exceeding authorized access under Title 18 U.S.C. § 1030(a)(4) of the Computer Fraud and Abuse Act (CFAA). Ultimately, the Court ruled that the government’s argument failed to sufficiently meet the “exceeding authorized access” requirement of Title 18 U.S.C. § 1030(a)(4) and granted the Defendants’ Motions to Dismiss.
hiQ Labs, Inc. v. LinkedIn Corp, 938 F.3d 985, was a United States Ninth Circuit case about web scraping. The 9th Circuit affirmed the district court's preliminary injunction, preventing LinkedIn from denying the plaintiff, hiQ Labs, from accessing LinkedIn's publicly available LinkedIn member profiles. hiQ is a small data analytics company that used automated bots to scrape information from public LinkedIn profiles.
Van Buren v. United States, 593 U.S. ___ (2021), was a United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access. In June 2021, the Supreme Court ruled in a 6–3 opinion that one "exceeds authorized access" by accessing off-limit files and other information on a computer system they were otherwise authorized to access. The CFAA's language had long created a circuit split in case law, and the Court's decision narrowed the applicability of CFAA in prosecuting cybersecurity and computer crime.