User:Maxburkhardt/sandbox

Notes on US v. Morris


 * Morris writes worm using Cornell computer account (access was given to him).
 * Spreads via bugs in sendmail, finger, password guessing, and "trusted hosts" abuse.
 * Estimated damage: between $200 and $53,000 per installation.
 * Found guilty of violating
 * Sentence: 3 years probation, 400 hours community service, a fine of $10,050, and costs of supervision.
 * The above section covers anyone who "prevents authorized use" of any "Federal interest computer", and which causes a loss of $1000 or more over a 1 year time period.
 * Morris' Position
 * U.S. should have to prove that he intended to prevent usage interruptions and $ loss.
 * Morris states that he had to have intentionally accessed and caused damage to be covered under 1030 a 5 A
 * Claims that he "exceeded authorized access", did not have "unauthorized access"
 * Claims that he should not be punished under (a)(5)(A), but (a)(3). This is because of the "outsiders" distinction (discussed below).
 * Claims that the jury should have been instructed about his "exceeding authorization" defense. Court rebuffs, stating that "authorization" is a common concept and need not be explained.
 * US Position
 * Government claims that scienter applies only to "accesses". Mostly based on Congress history (see Senate Report at 6, U.S. Code Cong. & Admin. News at 2483)
 * Court decides that "intentionally" applies only to the "access" part of 1030(a)(5)(A), and not to the "damages" part.
 * Language of 1030 relevant to this case was amended in 1994, 3 years after the case was concluded.
 * In Senate Report at 10, 2488 is "aimed at outsiders" but this was meant to mean anyone out of the government or in another department.
 * Court decides that even though Morris has access to some Federal interest computers, he is crossing department lines and therefore can be prosecuted.
 * Also, since Morris did not use sendmail or finger in their intended purpose, it puts him further in to the realm of unauthorized access.

SUMMARY:
 * Morris' two-pronged main argument, after the issue of "knowing" vs. "intending", is that:
 * He exceeded authorized access, which is not punished by 1030(a)(3) or 1030(a)(5)(A)
 * He was not an "outsider", and therefore not affected by 1030(a)(5)(A)

Useful Links: Law revisions Cybercrime Summary