In a recent decision, the federal Court of Appeals for the Second Circuit (which covers New York, Connecticut, and Vermont) affirmed the conviction of an Italian citizen for misdemeanor computer intrusion in violation of the Computer Fraud and Abuse Act of 1986 (CFAA). The decision is noteworthy in that, among other things, the Second Circuit rejected a challenge to the statute as being unconstitutionally vague.
According to the Court’s summary of the underlying facts, the defendant in the case, Fabio Gasperini, was the mastermind behind a computer virus that affected QNAP-brand computers specifically designed for the storage of data. The virus installed malware; once a computer was infected, the attacker installed a “backdoor” account that provided unrestricted access to and control over the computer’s data, and also blocked other hackers from getting onto the computer. The infected computer was then instructed to scan the internet for other computers with the same vulnerability and infect them. In this way, the attacker created a “botnet”—a network of infected computers within the attacker’s control. The virus accomplished many tasks, including copying username and password files from the infected computer to a server, directing the infected computer to click on certain advertisements, and prompting the botnet to launch coordinated attacks on specific websites.
Once the virus was detected, the subsequent investigation revealed that more than 155,000 computers were infected worldwide, with many of them located in the United States. Investigators identified Mr. Gasperini, an Italian citizen, as the creator of the virus and perpetrator of the various attacks. Further, Gasperini was linked to a related “click fraud” scheme, in which the botnet computers clicked on certain advertisements for websites registered in his name which in turn earned him money from an advertising company for each ad viewed on the websites.
A grand jury charged Gasperini with felony crimes of computer intrusion with intent to defraud, for financial gain, and in furtherance of criminal acts; wire fraud; and money laundering. However, after a jury trial, Gasperini was acquitted of all felony charges and convicted only of misdemeanor computer intrusion, a lesser-included crime, in violation of a provision of the CFAA which punishes anyone who “intentionally accesses a computer without authorization…and thereby obtains…information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C).
Gasperini appealed his conviction, arguing that the statute was unconstitutionally vague because it did not define the terms “access,” “authorization,” and “information,” and because the definition of “protected computer” was overbroad. Reviewing the district court’s decision for plain error, the Second Circuit noted that Gasperini had cited no authority from any court holding, or even suggesting, that the statute is unconstitutionally vague. Further, the Court found that there was no due process violation, as the statute adequately provided a person of average intelligence fair notice of what activity was prohibited, and Gasperini’s conduct fell “squarely and unambiguously within the core prohibition of the statute.”
The Court also rejected Gasperini’s contention that certain evidence should have been suppressed at trial, including evidence obtained pursuant to search warrants issued under the Stored Communications Act (SCA) and evidence obtained during searches of his home in Italy by Italian law enforcement officers pursuant to an Italian warrant. The Court found that suppression of evidence is not a remedy available for violation of the SCA. As for the searches done in Italy, Gasperini argued that the Italian officials acted at the behest of American law enforcement officials, thus making them subject to U.S. constitutional requirements for searches. However, the Court found that the U.S. officials did not control or direct the conduct of the Italian investigation, and that a mere request for a search is not sufficient to show control.
As for Gasperini, he was sentenced to a one-year prison term (the maximum allowed). Interestingly, for sentencing purposes, the trial judge found that the government had proven, by a preponderance of the evidence, that Gasperini had committed the felony offenses with which he had been charged. It is unclear from the decision why the jury let him off the hook for the felony charges and only found him guilty of a misdemeanor. Gasperini has already served his one-year sentence and has been deported to Italy.