Rejecting several challenges, the Fifth Circuit recently upheld the conviction of a University of Texas at Austin student violating the Computer Fraud and Abuse Act by intentionally accessing a protected computer without authorization.
Christopher Andrew Phillips enrolled at the University of Texas at Austin (“UT”) in 2001 and was granted access to the UT computer network subject to UT’s “acceptable use” policy which, among other things, bars the use of “port scans” to detect insecure computers. Despite signing this agreement, Phillips used a port scanning program to infiltrate hundreds of computers.
Among these was a “secure” UT system known as “TXClass,” which provided various services to faculty and staff. Authorized users could access these services by entering their social security number on the log-in page. Phillips transmitted to this website a “brute-force attack” program, which tried submitting hundreds of social security numbers per minute and eventually identified gained access to the accounts of more than 45,000 users. After being discovered, Phillips was convicted of violating the Computer Fraud and Abuse Act (“CFAA”) and was sentenced to five years’ probation, five hundred hours of community service, and restitution of more than $170,000 to cover the costs incurred by UT in assessing the damage and notifying the thousands of users whose information had been compromised.
II. The Meaning of “Authorization” Under the CFAA
Phillips first argued that the evidence was insufficient to find that he accessed the TXClass website without authorization. Because he was an authorized user of the UT computer network, and because the TXClass website was a “public application” that anyone could access (even if none of the services could be used without an account), Phillips alleged that there could be no grounds for finding that he accessed the system without authorization. Because Phillips failed to raise this argument in his motion for a directed verdict of acquittal, the court reviewed it only for “manifest miscarriage of justice.”
The CFAA tries to define “authorized” access to deal with the different problems of “outsider” versus “insider” attacks. The statute also focuses on unauthorized access as opposed to improper use, of computers. An outsider, who has not been granted permission to access a computer, exceeds his authorization simply by accessing the computer, regardless of how he uses it. On the other hand, an insider, who has been granted permission to access a computer for some purpose, or to access some parts of a computer system, but not others, might exceed his authorization if he trespasses in a different part of the network, or uses his otherwise legitimate access in an unauthorized way. The exact boundaries of “unauthorized use” are unclear: If taken to its full extreme, defining lack of authorization as improper use might mean any violation of an acceptable use policy is elevated from a breach of contract to a full criminal violation. The law is unclear whether the CFAA’s criminal sanctions for unauthorized use reach such extremes. While the defendant’s arguments in this case do not squarely present these issues, dicta in the court’s ruling supports reading the CFAA prohibitions broadly.
Rejecting the defendant’s argument, the court held that “authorization” should be defined in terms of “expected norms of intended use.” The court cited several cases adopting this approach in the First, Second, and Ninth Circuits, and it found Phillips’s all-or-nothing conception of “authorization” to be inconsistent with the Congressional record accompanying the Act’s enactment. Applying the expected norms approach, the court concluded that “Phillips’s brute-force attack program was not an intended use of the UT network within the understanding of any reasonable computer user.” Similarly, while any internet user could “access” the log-in page for the TXClass website, access to the services and data contained within that website requires an affirmative authorization from UT, and Phillips’s use of others’ social security numbers to gain access to these services was unauthorized. Because Phillips’s conduct was malicious and could have no legitimate purpose, the court was able to find that this conduct violated expected norms of intended use without further considering the difficult questions of how “expected norms” relates to the text of the acceptable use agreement, to a reasonable user’s understanding of that agreement, or to a broader cultural or societal understanding of what constitutes legitimate use.
III. Constructive Amendment and Harmless Error Analysis
Phillips also argued, and the court agreed, that the district court erred by instructing the jury on the elements required to convict under § 1030(a)(5)(A)(i) when the indictment actually charged him with a violation of § 1030(a)(5)(A)(ii), causing a constructive amendment of the indictment. While the charge in the indictment requires a finding that Phillips intentionally accessed a protected computer, the jury was told that it need only find that Phillips knowingly transmitted a program to a protected computer.
After reviewing the record, however, the court found this to be a harmless error and sustained the conviction. With regard to the transmission/access distinction, the court found that “[t]he factual predicates . . . are identical,” and thus “[t]here is no conceivable basis upon which the jury could have concluded Phillips transmitted the program . . . without having also accessed a protected computer.” Likewise, with regard to the knowingly/intentionally mens rea distinction, the court found that “[i]t beggars belief that, having transmitted [an invasive] program, Phillips did not intend to access a protected computer.” The erroneous jury instructions were thus deemed immaterial to Phillips’s conviction.
IV. Other Challenges to Phillips’s conviction
Phillips’s final two challenges were also summarily rejected by the court. First, Phillips argued that the district court should have instructed the jury on a lesser-included offense. But because he failed to submit a proposed charge at trial, the court concluded that Phillips had made a strategic choice to press the jury into an all-or-nothing decision, and in doing so he waived his right to the lesser-included offense instruction. Second, Phillips alleged that he should not be ordered to pay restitution to UT for the costs it incurred investigating the computer breach and in contacting the affected individuals. But the court noted that the applicable section of the Mandatory Restitution to Victims Act, 18 U.S.C. § 3663A(b)(4), expressly authorizes restitution for “expenses incurred during participation in the investigation or prosecution of the offense,” and thus the restitution award was appropriate.