morris~1.txt

1000 HOWTOs for various needs [WINDOWS]

 anonymous message from Harvard over the network, instructing programmers how to
 kill the worm and prevent reinfection.  However, because the network route was
 clogged, this message did not get through until it was too late.  computers
 were affected at numerous installations, including leading universities,
 military sites, and medical research facilities.  The estimated cost of dealing
 with the worm at each installation ranged from $200 to more than $53,000.
  Morris was found guilty, following a jury trial, of violating 18
 U.S.C. s 1030(A)(5)(A).  He was sentenced to three years of probation, 400
 hours of community service, a fine of $10,050, and the costs of his
 supervision.
                                   DISCUSSION
  I. The intent requirement in section 1030(a)(5)(A)
  Section 1030(a)(5)(A), covers anyone who
   (5) intentionally accesses a Federal interest computer without authorization,
 and by means of one or more instances of such conduct alters, damages, or
 destroys information in any such Federal interest computer, or prevents
 authorized use of any such computer or information, and thereby
   (A) causes loss to one or more others of a value aggregating $1,000 or more
 during any one year period;  ... [emphasis added].
  [1] The District Court concluded that the intent requirement applied only to
 the accessing and not to the resulting damage.  *507 Judge Munson found
 recourse to legislative history unnecessary because he considered the statute
 clear and unambiguous.  However, the Court observed that the legislative
 history supported its reading of section 1030(a)(5)(A).
  Morris argues that the Government had to prove not only that he intended the
 unauthorized access of a federal interest computer, but also that he intended
 to prevent others from using it, and thus cause a loss.  The adverb
 "intentionally," he contends, modifies both verb phrases of the section.  The
 Government urges that since punctuation sets the "accesses" phrase off from the
 subsequent "damages" phrase, the provision unambiguously shows that
 "intentionally" modifies only "accesses."  Absent textual ambiguity, the
 Government asserts that recourse to legislative history is not appropriate.
 See Burlington N.R. Co. v. Oklahoma Tax Comm'n, 481 U.S. 454, 461, 107 S.Ct.
 1855, 1859, 95 L.Ed.2d 404 (1987);  Consumer Product Safety Comm'n v. GTE
 Sylvania, Inc., 447 U.S. 102, 108, 100 S.Ct. 2051, 2056, 64 L.Ed.2d 766
 (1980);  United States v. Holroyd, 732 F.2d 1122, 1125 (2d Cir.1984).
  With some statutes, punctuation has been relied upon to indicate that a phrase
 set off by commas is independent of the language that followed.  See United
 States v. Ron Pair Enterprises, Inc., 489 U.S. 235, 241, 109 S.Ct. 1026, 1030,
 103 L.Ed.2d 290 (1989) (interpreting the Bankruptcy Code).  However, we have
 been advised that punctuation is not necessarily decisive in construing
 statutes, see Costanzo v. Tillinghast, 287 U.S. 341, 344, 53 S.Ct. 152, 153, 77
 L.Ed. 350 (1932), and with many statutes, a mental state adverb adjacent to
 initial words has been applied to phrases or clauses appearing later in the

 statute without regard to the punctuation or structure of the statute.  See
 Liparota v. United States, 471 U.S. 419, 426-29, 105 S.Ct. 2084, 2088-90, 85
 L.Ed.2d 434 (1985) (interpreting food stamps provision);  United States v.
 Nofziger, 878 F.2d 442, 446-50 (D.C.Cir.) (interpreting government "revolving
 door" statute), cert. denied, --- U.S. ----, 110 S.Ct. 564, 107 L.Ed.2d 559
 (1989);  United States v. Johnson & Towers, Inc., 741 F.2d 662, 667-69 (3d
 Cir.1984) (interpreting the conservation act), cert. denied, 469 U.S. 1208, 105
 S.Ct. 1171, 84 L.Ed.2d 321 (1985).  In the present case, we do not believe the
 comma after "authorization" renders the text so clear as to preclude review of
 the legislative history.
  The first federal statute dealing with computer crimes was passed in
 1984, Pub.L. No. 98-473 (codified at 18 U.S.C. s 1030 (Supp. II 1984)).  The
 specific provision under which Morris was convicted was added in 1986, Pub.L.
 No. 99-474, along with some other changes.  The 1986 amendments made several
 changes relevant to our analysis.
  First, the 1986 amendments changed the scienter requirement in section
 1030(a)(2) from "knowingly" to "intentionally."  See Pub.L. No. 99-474, section
 2(a)(1).  The subsection now covers anyone who
   (2) intentionally accesses a computer without authorization or exceeds
 authorized access, and thereby obtains information contained in a financial
 record of a financial institution, or of a card issuer as defined in section
 1602(n) of title 15, or contained in a file of a consumer reporting agency on a
 consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C.
 1681 et seq.).
  According to the Senate Judiciary Committee, Congress changed the mental state
 requirement in section 1030(a)(2) for two reasons.  Congress sought only to
 proscribe intentional acts of unauthorized access, not "mistaken, inadvertent,
 or careless" acts of unauthorized access.  S.Rep. No. 99-432, 99th Cong., 2d
 Sess. 5 (1986), reprinted in 1986 U.S.Code Cong. & Admin.News 2479, 2483
 [hereinafter Senate Report].
  Also, Congress expressed concern that the "knowingly" standard "might be
 inappropriate for cases involving computer technology."  Id.  The concern was
 that a scienter requirement of "knowingly" might encompass the acts of an
 individual "who inadvertently 'stumble[d] into' someone else's computer file or
 computer data," especially where such individual was authorized *508 to use
 a particular computer.  Id. at 6, 1986 U.S.Code Cong. & Admin.News at 2483.
 The Senate Report concluded that "[t]he substitution of an 'intentional'
 standard is designed to focus Federal criminal prosecutions on those whose
 conduct evinces a clear intent to enter, without proper authorization, computer
 files or data belonging to another."  Id., U.S.Code Cong. & Admin.News at
 2484.  Congress retained the "knowingly" standard in other subsections of
 section 1030.  See 18 U.S.C. s 1030(A)(1), (a)(4).
  This use of a mens rea standard to make sure that inadvertent accessing was
 not covered is also emphasized in the Senate Report's discussion of section
 1030(a)(3) and section 1030(a)(5), under which Morris was convicted.  Both
 subsections were designed to target "outsiders," individuals without
 authorization to access any federal interest computer.  Senate Report at 10,
 U.S.Code Cong. & Admin.News at 2488.  The rationale for the mens rea
 requirement suggests that it modifies only the "accesses" phrase, which was the
 focus of Congress's concern in strengthening the scienter requirement.
  The other relevant change in the 1986 amendments was the introduction of
 subsection (a)(5) to replace its earlier version, subsection (a)(3) of the 1984
 act, 18 U.S.C. s 1030(A)(3) (Supp. II 1984).  The predecessor subsection
 covered anyone who
   knowingly accesses a computer without authorization, or having accessed
 a computer with authorization, uses the opportunity such access provides for
 purposes to which such authorization does not extend, and by means of such
 conduct knowingly uses, modifies, destroys, or discloses information in, or
 prevents authorized use of, such computer, if such computer is operated for or
 on behalf of the Government of United States and such conduct affects such
 operation.
  The 1986 version changed the mental state requirement from "knowingly" to
 "intentionally," and did not repeat it after the "accesses" phrase, as had the
 1984 version.  By contrast, other subsections of section 1030 have retained
 "dual intent" language, placing the scienter requirement at the beginning of
 both the "accesses" phrase and the "damages" phrase.  See, e.g., 18 U.S.C. s
 1030(A)(1).
  Morris notes the careful attention that Congress gave to selecting the
 scienter requirement for current subsections (a)(2) and (a)(5).  Then, relying
 primarily on comments in the Senate and House reports, Morris argues that the
 "intentionally" requirement of section 1030(a)(5)(A) describes both the conduct
 of accessing and damaging.  As he notes, the Senate Report said that "[t]he new
 subsection 1030(a)(5) to be created by the bill is designed to penalize those
 who intentionally alter, damage, or destroy certain computerized data belonging
 to another."  Senate Report at 10, U.S.Code Cong. & Admin.News at 2488.  The
 House Judiciary Committee stated that "the bill proposes a new section (18
 U.S.C. 1030(A)(5)) which can be characterized as a 'malicious damage' felony
 violation involving a Federal interest computer.  We have included an
 'intentional' standard for this felony and coverage is extended only to outside
 trespassers with a $1,000 threshold damage level."  H.R.Rep. No. 99-612, 99th
 Cong.2d Sess. at 7 (1986).  A member of the Judiciary Committee also referred
 to the section 1030(a)(5) offense as a "malicious damage" felony during the
 floor debate.  132 Cong.Rec. H3275, 3276 (daily ed. June 3, 1986) (remarks of
 Rep. Hughes).
  The Government's argument that the scienter requirement in section
 1030(a)(5)(A) applies only to the "accesses" phrase is premised primarily upon
 the difference between subsection (a)(5)(A) and its predecessor in the 1984
 statute.  The decision to state the scienter requirement only once in
 subsection (a)(5)(A), along with the decision to change it from "knowingly" to
 "intentionally," are claimed to evince a clear intent upon the part of Congress
 to apply the scienter requirement only to the "accesses" phrase, though making
 that requirement more difficult to satisfy.  This reading would carry out the
 Congressional objective of protecting the individual who "inadvertently
 'stumble[s] into' someone else's computer file."  Senate Report at 6, U.S.Code
 Cong. & Admin.News at 2483.
  *509 The Government also suggests that the fact that other subsections of
 section 1030 continue to repeat the scienter requirement before both phrases of
 a subsection is evidence that Congress selectively decided within the various
 subsections of section 1030 where the scienter requirement was and was not
 intended to apply.  Morris responds with a plausible explanation as to why
 certain other provisions of section 1030 retain dual intent language.  Those
 subsections use two different mens rea standards;  therefore it is necessary to
 refer to the scienter requirement twice in the subsection.  For example,
 section 1030(a)(1) covers anyone who
   (1) knowingly accesses a computer without authorization or exceeds
 authorized access, and by means of such conduct obtains information that has
 been determined by the United States Government pursuant to an Executive order
 or statute to require protection against unauthorized disclosure for reasons of
 national defense or foreign relations, or any restricted data ... with the
 intent or reason to believe that such information so obtained is to be used to
 the injury of the United States, or to the advantage of any foreign nation.
  Since Congress sought in subsection (a)(1) to have the "knowingly" standard