morris~1.txt

黑客培训教程

 govern the "accesses" phrase and the "with intent" standard govern the
 "results" phrase, it was necessary to state the scienter requirement at the
 beginning of both phrases.  By contrast, Morris argues, where Congress stated
 the scienter requirement only once, at the beginning of the "accesses" phrase,
 it was intended to cover both the "accesses" phrase and the phrase that
 followed it.
  There is a problem, however, with applying Morris's explanation to section
 1030(a)(5)(A).  As noted earlier, the predecessor of subsection (a)(5)(A)
 explicitly placed the same mental state requirement before both the "accesses"
 phrase and the "damages" phrase.  In relevant part, that predecessor in the
 1984 statute covered anyone who "knowingly accesses a computer without
 authorization, ... and by means of such conduct knowingly uses, modifies,
 destroys, or discloses information in, or prevents authorized use of, such
 computer...."  18 U.S.C. s 1030(A)(3) (Supp. II 1984) (emphasis added).  This
 earlier provision demonstrates that Congress has on occasion chosen to repeat
 the same scienter standard in the "accesses" phrase and the subsequent phrase
 of a subsection of the computer Fraud Statute.  More pertinently, it shows that
 the 1986 amendments adding subsection (a)(5)(A) placed the scienter requirement
 adjacent only to the "accesses" phrase in contrast to a predecessor provision
 that had placed the same standard before both that phrase and the subsequent
 phrase.
  Despite some isolated language in the legislative history that arguably
 suggests a scienter component for the "damages" phrase of section
 1030(a)(5)(A), the wording, structure, and purpose of the subsection, examined
 in comparison with its departure from the format of its predecessor provision
 persuade us that the "intentionally" standard applies only to the "accesses"
 phrase of section 1030(a)(5)(A), and not to its "damages" phrase.
  II. The unauthorized access requirement in section 1030(a)(5)(A)
  [2] Section 1030(a)(5)(A) penalizes the conduct of an individual who
 "intentionally accesses a Federal interest computer without authorization."
 Morris contends that his conduct constituted, at most, "exceeding authorized
 access" rather than the "unauthorized access" that the subsection punishes.
 Morris argues that there was insufficient evidence to convict him of
 "unauthorized access," and that even if the evidence sufficed, he was entitled
 to have the jury instructed on his "theory of defense."
  We assess the sufficiency of the evidence under the traditional
 standard.  Morris was authorized to use computers at Cornell, Harvard, and
 Berkeley, all of which were on INTERNET.  As a result, Morris was authorized to
communicate with other computers on the network to send electronic mail (SEND
 MAIL), and to find out certain information about the users of other
 computers *510 (finger demon).  The question is whether Morris's
 transmission of his worm constituted exceeding authorized access or accessing
 without authorization.
  The Senate Report stated that section 1030(a)(5)(A), like the new section
 1030(a)(3), would "be aimed at 'outsiders,' i.e., those lacking authorization
 to access any Federal interest computer."  Senate Report at 10, U.S.Code
 Cong. & Admin.News at 2488.  But the Report also stated, in concluding its
 discussion on the scope of section 1030(a)(3), that it applies "where the
 offender is completely outside the Government, ... or where the offender's act
 of trespass is interdepartmental in nature."  Id. at 8, U.S.Code Cong. &
 Admin.News at 2486 (emphasis added).
  Morris relies on the first quoted portion to argue that his actions can be
 characterized only as exceeding authorized access, since he had authorized
 access to a federal interest computer.  However, the second quoted portion
 reveals that Congress was not drawing a bright line between those who have some
 access to any federal interest computer and those who have none.  Congress
 contemplated that individuals with access to some federal interest computers
 would be subject to liability under the computer fraud provisions for gaining
 unauthorized access to other federal interest computers.  See, e.g., id.
 (stating that a Labor Department employee who uses Labor's computers to access
 without authorization an FBI computer can be criminally prosecuted).
  The evidence permitted the jury to conclude that Morris's use of the SEND MAIL
 and finger demon features constituted access without authorization.  While a
 case might arise where the use of SEND MAIL or finger demon falls within a
 nebulous area in which the line between accessing without authorization and
 exceeding authorized access may not be clear, Morris's conduct here falls well
 within the area of unauthorized access.  Morris did not use either of those
 features in any way related to their intended function.  He did not send or
 read mail nor discover information about other users;  instead he found holes
 in both programs that permitted him a special and unauthorized access route
 into other computers.
  Moreover, the jury verdict need not be upheld solely on Morris's use of SEND
 MAIL and finger demon.  As the District Court noted, in denying Morris' motion
 for acquittal,
   Although the evidence may have shown that defendant's initial insertion of
 the worm simply exceeded his authorized access, the evidence also demonstrated
 that the worm was designed to spread to other computers at which he had no
 account and no authority, express or implied, to unleash the worm program.
 Moreover, there was also evidence that the worm was designed to gain access to
 computers at which he had no account by guessing their passwords.  Accordingly,
 the evidence did support the jury's conclusion that defendant accessed without
 authority as opposed to merely exceeding the scope of his authority.
  In light of the reasonable conclusions that the jury could draw from
 Morris's use of SEND MAIL and finger demon, and from his use of the trusted
 hosts feature and password guessing, his challenge to the sufficiency of the
 evidence fails.
  Morris endeavors to bolster his sufficiency argument by contending that his
 conduct was not punishable under subsection (a)(5) but was punishable under
subsection (a)(3).  That concession belies the validity of his claim that he
 only exceeded authorization rather than made unauthorized access.  Neither
 subsection (a)(3) nor (a)(5) punishes conduct that exceeds authorization.  Both
 punish a person who "accesses" "without authorization" certain computers.
 Subsection (a)(3) covers the computers of a department or agency of the United
 States;  subsection (a)(5) more broadly covers any federal interest computers,
 defined to include, among other computers, those used exclusively by the United
 States, 18 U.S.C. s 1030(E)(2)(A), and adds the element of causing damage or
 loss of use of a value of $1,000 or more.  If Morris violated subsection
 (a)(3), as he concedes, then his conduct in inserting the worm into the
 INTERNET *511 must have constituted "unauthorized access" under subsection
 (a)(5) to the computers of the federal departments the worm reached, for
 example, those of NASA and military bases.
  To extricate himself from the consequence of conceding that he made
 "unauthorized access" within the meaning of subsection (a)(3), Morris subtly
 shifts his argument and contends that he is not within the reach of subsection
 (a)(5) at all.  He argues that subsection (a)(5) covers only those who, unlike
 himself, lack access to any federal interest computer.  It is true that a
 primary concern of Congress in drafting subsection (a)(5) was to reach those
 unauthorized to access any federal interest computer.  The Senate Report
 stated, "[T]his subsection [ (a)(5) ] will be aimed at 'outsiders,' i.e., those
 lacking authorization to access any Federal interest computer."  Senate Report
 at 10, U.S.Code Cong. & Admin.News at 2488.  But the fact that the subsection
 is "aimed" at such "outsiders" does not mean that its coverage is limited to
 them.  Congress understandably thought that the group most likely to damage
 federal interest computers would be those who lack authorization to use any of
 them.  But it surely did not mean to insulate from liability the person
 authorized to use computers at the State Department who causes damage to
 computers at the Defense Department.  Congress created the misdemeanor offense
 of subsection (a)(3) to punish intentional trespasses into computers for which
 one lacks authorized access;  it added the felony offense of subsection (a)(5)
 to punish such a trespasser who also causes damage or loss in excess of $1,000,
 not only to computers of the United States but to any computer within the
 definition of federal interest computers.  With both provisions, Congress was
 punishing those, like Morris, who, with access to some computers that enable
 them to communicate on a network linking other computers, gain access to other
 computers to which they lack authorization and either trespass, in violation of
 subsection (a)(3), or cause damage or loss of $1,000 or more, in violation of
 subsection (a)(5).
  Morris also contends that the District Court should have instructed the
 jury on his theory that he was only exceeding authorized access.  The District
 Court decided that it was unnecessary to provide the jury with a definition of
 "authorization."  We agree.  Since the word is of common usage, without any
 technical or ambiguous meaning, the Court was not obliged to instruct the jury
 on its meaning.  See, e.g., United States v. Chenault, 844 F.2d 1124, 1131 (5th
 Cir.1988) ("A trial court need not define specific statutory terms unless they
 are outside the common understanding of a juror or are so technical or specific
 as to require a definition.").
  An instruction on "exceeding authorized access" would have risked misleading
 the jury into thinking that Morris could not be convicted if some of his
conduct could be viewed as falling within this description.  Yet, even if that
 phrase might have applied to some of his conduct, he could nonetheless be found
 liable for doing what the statute prohibited, gaining access where he was
 unauthorized and causing loss.
  Additionally, the District Court properly refused to charge the jury with
 Morris's proposed jury instruction on access without authorization.  That
 instruction stated, "To establish the element of lack of authorization, the
 government must prove beyond a reasonable doubt that Mr. Morris was an
 'outsider,' that is, that he was not authorized to access any Federal interest
 computer in any manner."  As the analysis of the legislative history reveals,
 Congress did not intend an individual's authorized access to one federal
 interest computer to protect him from prosecution, no matter what other federal
 interest computers he accesses.
                                   CONCLUSION
  For the foregoing reasons, the judgment of the District Court is affirmed.