United States v. Morris (1991)

United States v. Morris was an appeal of the conviction of Robert Tappan Morris for creating and releasing the Morris worm, one of the first Internet-based worms. This case resulted in the first conviction under the Computer Fraud and Abuse Act. In the process, the dispute clarified much of the language used in the law, which had been heavily revised in a number of updates passed in the years after its initial drafting. Also clarified was the concept of "unauthorized access," which is central in the United States' computer security laws. The decision was the first by a U.S. court to refer to "the Internet", which it described simply as "a national computer network."

Case background
Robert Tappan Morris was a Cornell student, who began work in 1988 on an early Internet worm. He had been given explicit access to a Cornell computer account upon entering the school, and used this access to develop his worm. Morris released the worm from MIT, in an attempt to disguise its source. The worm spread through four mechanisms: The worm was designed so that it would not spread to computers that it had already infected. To prevent computers from defending against this by pretending to have the worm, however, it would still infect an already infected computer one out of seven times. The worm was also designed so that it would be erased when an infected computer was shut down, thus preventing multiple infections from becoming problematic. Morris' underestimation of the rate of reinfection causing this safeguard to be ineffective, and "tens of thousands" of computers were rendered catatonic by repeated infections. It was estimated that between $200 and $53,000 was required per infected facility to clean up after the worm.
 * Through a bug in Sendmail, an email program.
 * Through a bug in Finger, a program used to find out information about other users on networked computers.
 * Through a "trusted hosts" feature, which allows users from one system to use another system without a password.
 * Through a password brute-force attack.

Morris was found guilty by the United States District Court for the Northern District of New York of violating 18 U.S.C. 1030(a)(5)(A), sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the cost of his supervision.

Discussion
Legal discourse took place on three main issues: whether Morris had to have intended to cause damage, whether Morris really had gained unauthorized access, and whether the District Court had properly informed the jury of the subtleties of the case.

Intent to cause damage
As it read in 1991,, part of the Computer Fraud and Abuse Act, covered anyone who:

(5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby

(A) causes loss to one or more others of a value aggregating $1,000 or more during any one-year period;

Morris argued that this did not apply to him, as the Government could not conclusively prove that he had intended to cause damage to a Federal interest computer. Federal interest computers are defined as any that participate in national or international commerce, or that are used in a federal or governmental institution. The Government disagreed, stating that since a comma separated the "intentionally" phrase from the rest of the section, it did not necessarily apply. This use of punctuation to separate adverbs has precedents in Burlington No. R. Co. v. Okla. Tax Comm'n and Consumer Product Safety Comm'n v. GTE Sylvania, Inc.

The court also took into consideration the language used in previous versions of the law to determine the intent of Congress. In the 1986 amendment to the law, section 1030(a)(2) had its mental state requirement changed from "knowingly" to "intentionally." This was done in order to disallow purposeful unauthorized access, not "mistaken, inadvertent, or careless" acts. The court reasoned that since this "intentionally" phrase was inserted into the law in order to avoid punishing users that had accidentally accessed a computer they did not have authorization to, it applied strictly to the "accesses" clause, not the "damages" one. There is no evidence that Congress intended to make it legal to accidentally damage another computer, therefore the "intentionally" specification was not made there. Additionally, the Government suggested that many other subsections of 1030, specifically (a)(1), continue to repeat the mental state requirement before each clause, indicating that the lack of such repetition in (a)(5)(A) is indicative of the short reach of the "intentionally" adverb.

To contest this claim, Morris cited a different section of the Senate Report: "[t]he new subsection 1030(a)(5) to be created by the bill is designed to penalize those who intentionally alter, damage, or destroy certain computerized data belonging to another." The court however, found the Government's evidence of the changing language of the statute to be more convincing.

Unauthorized access
Morris argued that, since he was given access to computers at Cornell, Harvard, and Berkeley, by releasing the worm he had simply exceeded authorized access, not gained unauthorized access. For this reason, he theorized that section (a)(3), not (a)(5)(A), properly covered him. This defense is based in another section of the Senate report, which stated that the Computer Fraud and Abuse Act would be aimed at "outsiders" (people not authorized to use federal interest computers). Because Morris did have access to computers of this nature, he stated that his actions were not completely unauthorized. However, the aforementioned Senate report also states that the law applies "where the offender's act of trespass is interdepartmental in nature." The court reasoned that since Morris' worm reached computers spanning U.S. government departments, including military ones, 18 U.S.C. 1030 properly applied to him.

The court also pointed out that since Morris used the sendmail and finger programs in a way they were not intended to be used, his "exceeded authorization" defense was further weakened. Since Morris only used these programs because they had security holes he could exploit to gain access to computers he could not otherwise access, this use exemplifies "unauthorized access". The fact that the worm guessed passwords to break into other systems further highlights this point.

Proper instruction of the jury
Morris claimed that the District Court improperly educated the jury on the specifics of his case. First, he complained that the District Court had not provided a definition of "authorization" to the jury. The Court had stated that "authorization" was of common usage and not required to be defined. The Appellate Court in this case agreed, citing precedent. Morris also contended that the District Court wrongly did not instruct the jury on "exceeding authorized access" using his proposed definition. Again, the Appellate Court agreed with the District Court's decision, stating that extra definition would be potentially confusing, and that Morris's proposed instruction was incorrect. Additionally, the term "exceeding authorized access" implies that it is less serious than "unauthorized access," but even if this was the case, Morris was liable under many parts of the Computer Fraud and Abuse Act.

Court's decision
The US Court of Appeals, Second Circuit affirmed the decision of the lower District Court, in which Morris was found guilty of violating 18 U.S.C. 1030(a)(5)(A), which is a felony.

Case reception
In 1996 the Computer Fraud and Abuse Act was amended again to clarify the intent problems that made up the majority of U.S. v. Morris. The adverbs "knowingly" and "intentionally" were inserted in more places in the statute, in an attempt to make litigation with the law simpler in the future.

This case affirmed the strength of the Computer Fraud and Abuse Act. Prior to this decision, it had been assumed that the Act required intent to cause damage - which was thought to be very hard to prove. The ruling here demonstrated that this was not the case.