Wednesday, October 30, 2013

The Computer Science Student, Authorization and the University

After a “twelve-count indictment was filed against Daniel Stratman on June 19, 2013”, he filed a motion to dismiss the first two counts (“Counts I and II”), which charged him with violating 18 U.S. Code § 1030(a)(5)(A).  U.S. v. Stratman, 2013 WL 5676874 (U.S. District Court for the Northern District of Nebraska 2013).   

The federal district court judge who has the case begins his opinion by explaining that the counts alleged the following:

DANIEL STRATMAN, knowingly caused the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused damage without authorization to a protected computer, to wit, the University of Nebraska and Nebraska State College Systems computer systems, and the offense caused loss to a person or persons during a 1-year period, from the defendant's course of conduct affecting a protected computer, aggregating at least $5,000 in value.

In violation of 18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B).

U.S. v. Stratman, supra.  You can read more about the charges, and what (allegedly) led Stratman to be charged with these and other crimes, in the stories you can find here and here.

As Wikipedia explains, under Rule 12 of the Federal Rules of Criminal Procedure, a defendant can file a motion arguing that one or more of the charges against him/her must be dismissed because it is/they are legally insufficient.  The judge began his ruling on Stratman’s motion by explaining that

`[a]n indictment is legally sufficient on its face if it contains all of the essential elements of the offense charged, fairly informs the defendant of the charges against which he must defend, and alleges sufficient information to allow a defendant to plead a conviction or acquittal to bar a subsequent prosecution.’ U.S. v. Fleming, 8 F.3d 1264 (U.S. Court of Appeals for the 8th Circuit 1993).  

The defendant argues the Indictment is defective because it fails to include an essential element of the offense; specifically, he claims any charge against him for violating18 U.S. Code § 1030(a)(5)(A) must allege Stratman was not `permitted initial authorized access’ to the University computer system.

To resolve the defendant's motion, the court must determine the meaning of 18 U.S. Code § 1030(a)(5)(A) and the elements required to prove it was violated. “If the plain language of [a] statute is unambiguous, that language is conclusive absent clear legislative intent to the contrary. 

U.S. v. Stratman, supra.  

The judge began his analysis of Stratman’s argument that the § 1030(a)(5)(A) charges were deficient by explaining that the statute, which imposes liability and punishment on

anyone who `knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.’ 

[Stratman’s] argument is premised on the claim that he `was authorized to access the protected computer, and used that authorization to access data in the computer for which he was not authorized, thereby exceeding his authorization.’ . . . 

[He] argues that while he admittedly exceeded the scope of his authorized access, he did not act `without authorization’ within the meaning of § 1030(a)(5)(A) because his initial access to the system was authorized.

In other words, [Stratman] claims § 1030(a)(5)(A) `cannot be criminally violated by one who was authorized to access the computer at the time he caused the alleged damage.’ . . . As the Magistrate Judge's findings and recommendation persuasively explain, [Stratman’s] reading of the statute is unsupported. 

The phrase `without authorization’ modifies the phrase `intentionally causes damages’: that is, one who is authorized to access a system, but not authorized to damage it, violates the statute by intentionally damaging it `without authorization.’

U.S. v. Stratman, supra.  

In the paragraph above, the U.S. District Court Judge is referring to the “Findings, Recommendation and Order” a U.S. Magistrate Judge drafted for the District Court Judge. U.S. v. Stratman, supra.  As Wikipedia notes, a District Court Judge can refer a matter, such as a motion to dismiss, to a Magistrate Judge to have the latter analyze the issues and write a “report and recommendation” to the judge.  That is what happened here; in this opinion the District Court Judge is ruling on Stratman’s motion and, in so doing, relying on the Magistrate Judge’s Findings, Recommendation and Order.

Getting back to the case, the opinion says Stratman claimed the Magistrate Judge

erred because the phrase `without authorization’ refers to `the element of access to the protected computer.’ . . . [Stratman] asserts that it is `manifest that an essential element of a violation of the Act would be that the person access the protected computer without authorization or by exceeding the authorization given.’ . . . 

But that is not obvious at all, particularly in context. Section 1030(a)(5) provides punishment for one who

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

U.S. v. Stratman, supra.  

The judge then explained that

[i]t is apparent from § 1030(a)(5)(B) and (C) that Congress knew exactly how to require proof that a defendant's access to a computer was unauthorized. ‘”[W]here Congress includes particular language in one section of a statute but omits it in another section of the same Act, it is generally presumed that Congress acts intentionally and purposely in the disparate inclusion or exclusion.’” Dean v. U.S., 556 U.S. 568 (2009) (quoting Russello v. U.S., 464 U.S. 16 (1983)).

There is, in fact, nothing in § 1030(a)(5)(A) to suggest that access to a protected computer is an element of the offense at all, whether or not it was authorized. Nor is that surprising: it is possible for a perpetrator to damage a computer system by distributing a computer virus, for instance, without ever directly accessing the damaged system. 

The fact that the defendant in this case did access the system, with authorization, does not change the fact that if he intentionally damaged the system without authorization, he may be charged with violating § 1030(a)(5)(A).

U.S. v. Stratman, supra.  

The District Court Judge then noted that while he found “that result to be compelled by the plain language of the statute,” he also found that it was supported by the statute’s legislative history. U.S. v. Stratman, supra.  He pointed out that the “Senate Judiciary Committee's report on the bill containing the relevant provision” contains the following:  

Specifically, as amended, subsection 1030(a)(5)(A) would penalize, with a fine and up to 5 years' imprisonment, anyone who knowingly causes the transmission of a program, information, code or command and intentionally causes damage to a protected computer.  

This would cover anyone who intentionally damages a computer, regardless of whether they were an outsider or an insider otherwise authorized to access the computer. Subsection 1030(a)(5)(B) would penalize, with a fine and up to 5 years' imprisonment, anyone who intentionally accesses a protected computer without authorization and, as a result of that trespass, recklessly causes damage. This would cover outside[ ] hackers into a computer who recklessly cause damage. 

Finally, subsection 1030(a)(5)(C) would impose a misdemeanor penalty, of a fine and up to 1 year imprisonment, for intentionally accessing a protected computer without authorization and, as a result of that trespass, causing damage. This would cover outside hackers into a computer who negligently or accidentally cause damage.

In sum, under the bill, insiders, who are authorized to access a computer, face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage. By contrast, outside hackers who break into a computer could be punished for any intentional, reckless, or other damage they cause by their trespass.

The rationale for this difference in treatment deserves explanation. Although those who intentionally damage a system, without authority, should be punished regardless of whether they are authorized users, it is equally clear that anyone who knowingly invades a system without authority and causes significant loss to the victim should be punished as well, even when the damage caused is not intentional. . . . 

[I]t is better to ensure that section 1030(a)(5) criminalizes all computer trespass, as well as intentional damage by insiders, albeit at different levels of severity.

U.S. v. Stratman, supra (quoting U.S. Senate Report No. 104–357 (1996) (emphasis added in the opinion)). 

After quoting this report, the judge pointed out that “both the language of the statute and the legislative history support the conclusion that unauthorized access to the protected computer system is not an element of the offense defined by § 1030(a)(5)(A).” U.S. v. Stratman, supra (emphasis in the original).

He then noted that Stratman

reasserts his contention that the phrase `without authorization’ should not be related to the phrase “intentionally causes damage” because it would not make sense for someone to be authorized to cause damage. The Magistrate Judge's rejection of that point was persuasive, and the Court need not restate it.

Anyone who has ever redecorated a home, for instance, is familiar with the basic principle that sometimes `damage’ is necessary to facilitate reconstruction or improvement. In the context of information technology, the simplest example may be clearest: old files get deleted all the time.

U.S. v. Stratman, supra.  

The judge therefore denied Stratman’s motion to dismiss. U.S. v. Stratman, supra.  

Monday, October 28, 2013

“Bones”, Dreamboard and Computer Forensics

After he was convicted of “engaging in a child exploitation enterprise” in violation of 18 U.S. Code § 2252A(g) and given a “life sentence”, John Wyss appealed.  U.S. v. Wyss, 2013 WL 5701059 (U.S.Court of Appeals for the 5th Circuit 2013). The Court of Appeals begins its opinion by noting that the

key issue at trial was whether Wyss properly was identified as the person, using the screen name `Bones’, who published child pornography onto an internet bulletin board known as `Dreamboard’.

U.S. v. Wyss, supra. In a footnote the court explains that Dreamboard is a

highly encrypted, members-only, internet bulletin board that promotes members to produce, advertise and share pornographic images and videos of child sexual abuse, including links to an approved, password protected, third-party website for downloading.

U.S. v. Wyss, supra.

Before it took up Wyss’ challenges to his conviction, the Court of Appeals noted how the prosecution arose:

As a result of search warrants executed at Dreamboard's host entity, Certified Hosting Solutions, the government seized the hard drives for Dreamboard's servers. Stored IP addresses were obtained from the servers. With those addresses the government's computer forensics specialist, James Fottrell, was able to determine the names of Internet Service Providers, such as Sprint for each IP address.

Subpoenaed records from Sprint allowed Fottrell and other government investigators to identify John Wyss, at a specified address in Monroe, Wisconsin, with an assigned network access identifier `JWYSS14’ as the person who posted child pornography on Dreamboard using the name `Bones’.

Prior to execution of warrants at the latter address, Wyss's half-sister Teresa Dampier was informed by her live-in friend Jerry Dahlen, a member of the Monroe, Wisconsin police department, that her brother was in trouble again and that federal agents were planning to search their residence. Dampier relayed that information to Wyss who denied knowing the reasons for agents' interest in him.

Dampier and Dahlen confirmed that Wyss received mail at their residence, but lived in the sleeper compartment of his tractor-trailer. Wyss's location was subsequently determined through a court order to Sprint. That order authorized agents to obtain cellular tower location information used by Wyss's cellular telephone to connect to the Internet.

U.S. v. Wyss, supra.

According to the opinion, Wyss was arrested and officers executed a search warrant at

his tractor-trailer at a border checkpoint north of Laredo, Texas. Among various items seized during the search of the sleeper compartment and admittedly owned by Wyss, agents found a Gateway laptop computer with a hard drive that was completely empty, a Sprint cellular telephone, three Sprint aircards Wyss admitted using to access the Internet, an empty box for a Toshiba laptop computer, a power cord that did not fit the Gateway laptop, a product key for a Toshiba laptop, and a DVD with the image of a child, nude from waist up, and containing the word `Lolita’.

After receiving his `Miranda’ rights Wyss orally agreed to speak to agents. He denied involvement with child pornography and membership in an internet bulletin board. While denying ever using the screen name Bones, he did admit to visiting other interest websites that corresponded with online activities and postings by Bones.

Subsequently during a series of jailhouse discussions with his cellmate, Wyss admitted he used the name Bones on Dreamboard, describing his and other members use of that internet bulletin board. Wyss further admitted that he destroyed certain incriminating evidence of child pornography before his arrest due to suspicion that he was under investigation. The cellmate, Michael Biggs, was a Dreamland member who testified against Wyss pursuant to a plea agreement. . . .

Over defense objections, [at Wyss’] trial,] Sprint's custodian of records gave testimony to authenticate records of IP addresses, data usage and customer subscriber information. He further explained that the records were maintained by Sprint for billing purposes. The government's computer forensics expert Fottrell testified how he linked the IP addresses and data used by Bones on Dreamboard's servers to the IP addresses and data assigned to Wyss' Sprint account records.

U.S. v. Wyss, supra.

Wyss made several arguments on appeal, only one of which is examined here.  He argued that Rules 702 and 704 of the Federal Rules of Evidence were violated when

the district court [judge], over his timely objection, impermissibly allowed the government's computer forensic expert to opine that Wyss is the same person who participated on Dreamboard using the name Bones. He further argues that the erroneous admission of that testimony gravely affected his substantial rights to a fair and impartial trial.

The prosecution counters that there is no showing of an abuse of discretion because the expert was accepted as a computer forensic expert, sufficient reliable evidence of record formed the basis for his opinion, and that it did not embrace Wyss's mental state or condition.

U.S. v. Wyss, supra.

The Court of Appeals began its analysis of Wyss’ argument by noting that

[w]e review evidentiary rulings for an abuse of discretion, and in the event of error, we will affirm provided the error is harmlessSee U.S. v. Valencia, 600 F.3d 389 (U.S. Court of Appeals for the 5th Circuit 2010). While `review of evidentiary rulings is heightened in a criminal case,’ U.S. v. Gutierrez–Farias, 294 F.3d 657 (U.S. Court of Appeals for the 5th Circuit 2002), to obtain reversal, the appellant `must demonstrate that the district court's ruling caused him substantial prejudice.’ U.S. v. Bishop, 264 F.3d 535, 546 (U.S.Court of Appeals for the 5th Circuit 2001).

U.S. v. Wyss, supra.

The court then outlined the legal issues raised by Wyss’ argument about the trial judge’s letting the government’s expert to express his opinion that Wyss was “Bones”:

An expert witness may testify at trial if his/her `scientific, testimonial or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue.’ Federal Rules of Evidence 702. Further, an expert may testify `in the form of an opinion or otherwise, if (1) the testimony is based upon sufficient facts or data; (2) the testimony is a product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.’ Federal Rules of Evidence 702.

An expert `opinion is not objectionable just because it embraces a ultimate issue’. Federal Rules of Evidence 704. An expert in a criminal case may not, however, offer `an opinion about whether the defendant did or did not have a mental state or condition that constitutes an element of the crime charged or of a defense. Those matters are for the trier of fact along.’ Federal Rules of Evidence 704.

U.S. v. Wyss, supra.

The Court of Appeals then applied this standard and found there was no error:

Testimony from the government's computer forensic expert, Fottrell, was based on examination and comparisons of Wyss's Sprint records, IP addresses and data assigned to him on certain dates and times, along with data retrieved from the Dreamboard servers showing the IP addresses and data that correspond to postings by Bones.

Without objection during his direct examination, the expert explained how he identified the use of Wyss's Sprint internet account to post messages on Dreamboard under the name of Bones on multiple occasions during relevant periods of time. Testimony also showed there was only one Dreamboard member using the name Bones as an identifier.

Cross examination of the expert sought to shift responsibility for Dreamboard postings away from Wyss to the possibility of technical manipulation of his computer by others, including third party access to control his computer, in order to make Dreamboard postings. On re-direct examination, over defense objection, and in response to the defense proffered possibilities of technical manipulation, the expert stated he `believed that John Wyss, Sprint customer, is Bones on Dreamboard.’

As stated before, that conclusion was based on linking up Dreamboard activity with Wyss's Sprint account usage. At that point and upon counsel's request, the district court admonished the jury on the use of expert testimony. While the instruction was neither the full pattern instruction nor an objected-to charge on how to treat expert testimony, the ultimate jury instructions given at the end of trial gave the complete explanation. We discern no substantial harm in the latter regards.

U.S. v. Wyss, supra.

The court also noted that

[e]ven assuming errors from the opinion testimony, it was harmless error in light of the remaining overwhelming evidence, which was discussed above. Wyss acknowledges that prior to the opinion given during redirect examination, the expert provided the jury with adequate information to reasonably decide whether Wyss operated under the online screen name `Bones’. 

In additional consideration of all other evidence in the light more favorable to the prosecution and due deference to the jury's verdict, we agree.

U.S. v. Wyss, supra.

Friday, October 25, 2013

Time Warner, the Keystroke Logger and Computer Crime

After he was convicted of three counts of computer trespass in violation of New York Penal Law § 156.10, three counts of computer tampering in the third degree in violation of New York Penal Law § 156.25[1], one count of unlawful duplication of computer related material in the first degree in violation of New York Penal Law § 156.30[2] and one count of criminal possession of computer related material in violation of New York Penal Law § 156.35, Louis Puesan appealed.  People v. Puesan, 2013 WL 5525987 (New York Supreme Court – Appellate Division 2013).  (For the convictions, he was sentenced to “an aggregate term of five years’ probation.”  People v. Puesan, supra.)

As to how the case arose, the opinion explains that on November 9, 2007, Puesan was

placed on disability leave from his job as a field technician for Time Warner Cable. . . . [A]n employee who is placed on work leave is not considered an active employee; his or her access card is disabled and thus cannot be used to gain access to the company's offices. 

This policy is announced in employee handbooks provided to employees, and any employee placed on leave is instructed by human resources department personnel regarding that policy. Since the public is not allowed to enter Time Warner Cable's Northern Manhattan office, security guards are stationed outside to ensure those entering the building have valid ID cards.

[At trial,] David Lopez, a head-end technician for Time Warner Cable, testified that sometime in late January or early February 2008, he arrived at work at the company's Northern Manhattan office . . . and spotted [Puesan] nearby. During a brief conversation, [Puesan] asked Lopez for [his] personal log-in and password for Time Warner Cable's billing and customer information system, CSG, but Lopez refused. 

[Puesan said] he would find another way to get that information. Specifically, . . . [Puesan] said he `might use a keylogger’ to get the password he needed to gain access. . . . Lopez warned Monty Harris, a Time Warner Cable crew chief and field technician, and two supervisors, Lance Giancotti and Thomas Bonelli, that [Puesan] might do something to the computers in the company's `service ready room.’ The service ready room is accessible to all employees, and contains three computers, one main computer and two `thin client’ computers. All three computers are installed with a program, CSG, that gives employees access to customers' personal information.

People v. Puesan, supra.

The opinion says it was “undisputed” that on February 10, 2008, Puesan entered the

Time Warner Cable Northern Manhattan office at 5:17 p.m., and left at 6:03 p.m. [At 5:30 p.m.,] Lopez . . . saw [him] using a computer in the service ready room. . . .[W]hile Lopez and Harris saw [Puesan] using all three of those computers . . . neither could see what he was doing with [them]. . . .

From the time he first saw [Puesan] using the computers to the time he left at 6:30 p.m., Harris saw no other individual using [them]. [He] did not notify anyone about [Puesan’s] use of the computer at the time; nor did he check the computers after [Puesan] left.

The following morning, . . . Harris logged on to the computers in the service ready room and noticed a program, Cracks, was open and running on the main computer. Harris was curious as to what the program was, and . . . visited the website and found it was a site that showed `how to generate password keys for software.’ This website and program was used to gain access to password-protected software. Harris discovered the same program was open and running on the other two computers in the room. 

As Harris went to report his findings, he saw Lopez walking in to the room. He and Lopez talked, and Harris reported his findings to Paul Hart, a foreman. Hart notified supervisor Lance Giancotti about the situation, and Giancotti concluded there had been a security breach.

Giancotti reported the security breach to Sandip Gupta, Time Warner Cable's Senior Director of Information Technology, and Gupta directed Marc Rosenthal, the IT Manager of Network Support, to go to the Northern Manhattan office to examine the three computers in the service ready room. On examining the computers, Rosenthal noticed a program, Winvestigator, that was never installed or used by Time Warner Cable. 

Rosenthal took screen shots of the computers, which showed Winvestigator was installed on each of [them] between 5:45 p.m. and 6:15 p.m. on February 10, 2008. A search through the computers' browser history revealed a site called Tropical Software was visited on all three computers, and Rosenthal discovered Winvestigator could be downloaded and purchased from that site. Rosenthal gathered and secured the computers to take them to Time Warner's 23rd Street office.

When the computers arrived at Time Warner Cable's lab on 23rd Street, Rosenthal and Gupta discovered unplugging them had caused the hard drives to be erased on the two `thin client’ computers. However, the main computer's hard drive remained intact, and Rosenthal was able to make a copy to analyze without damaging the contents of the original hard drive.

[He] was unable to access Winvestigator's log file, which keeps track of the program's information and data, and discovered it had been password protected. To gain access to [it] Gupta purchased a `back-door’ password to . . . Winvestigator. Rosenthal was able to access the program. He discovered [it] had stored his own password as well as Giancotti's. The individual who installed Winvestigator on the Time Warner computers . . . had set the program's password to `lp.’

People v. Puesan, supra.

Tom Allen, Time Warner Cable's Vice President of Security, was notified of the problem in the Northern Manhattan office and reported it to the New York City Police Department.  People v. Puesan, supra. On April 3, Allen and Rosenthal turned over two hard drives and a desktop computer tower to Detective Jorge Ortiz, of the NYPD's Computer Crime Squad, who was trained in computer forensics. People v. Puesan, supra. Ortiz made copies of the hard drives and desktop tower and conducted a forensic analysis on the copies. People v. Puesan, supra.

He ran a program named NetAnalysis, which analyzes the computer's Internet history, and two malware detection programs, Gargoyle and Encase. He found that on February 10, 2008, at 5:32:09 p.m., someone visited . . ., which provides individuals with access codes and key generators to access specific software. Additionally, between 5:32:58 p.m. and 5:58:19 p.m., someone visited the home page of Tropical Software, which makes Winvestigator, and downloaded the program.

Both Gargoyle and Encase showed Winvestigator [was] installed on the desktop computer on February 10, 2008. . . . Ortiz determined Winvestigator's settings were set to log keystrokes, user sign-ons, and the times programs opened and closed. 

[It was also] programmed to self-encrypt and not warn others that the program was running, so anyone without the programmed password would be unable to look at the Winvestigator log file, because it would display only incomprehensible text. Ortiz determined Winvestigator had started to log keystrokes at 5:37 p.m. on February 10, 2008.

People v. Puesan, supra.

On appeal, Puesan claimed the evidence presented at trial (and summarized above) was not sufficient to prove his guilty of the charges against him beyond a reasonable doubt. People v. Puesan, supra.  The court began its analysis of the argument by explaining that to “determine the legal sufficiency of the evidence to support a conviction, the Court must view the evidence in the light most favorable to the People to decide whether any rational trier of fact, using any valid line of reasoning, could have found the elements of each crime beyond a reasonable doubt.” People v. Puesan, supra. 

The Appellate Division began with Puesan’s convictions for computer trespass, noting that "under Penal Law § 156.10,” the evidence must show he “`knowingly use[d] . . . or accesse[d] a computer . . .  or computer network without authorization and . . .  knowingly gain[ed] access to computer material.’” People v. Puesan, supra.   Puesan claimed he could not be “convicted of accessing `computer material’ because he did not gain access to the types of materials defined in the statute” and the evidence did not prove “he lacked authorization to use the three computers.” People v. Puesan, supra.  

The court disagreed, finding, first, that the evidence “fully supports” the conclusion that Puesan accessed Time Warner’s computers when he was not authorized to do so:

Time Warner announced in its employee handbook that employees on disability leave were prohibited from entering the building, and the company deactivated those employees' access cards; this establishes that [he] had actual notice that he lacked authorization to enter the building and to use the company's computers. 

Furthermore, [Puesan’s] request of Lopez to use his log-in information, Lopez's refusal, and [Puesan’s] reply that he would find another way to access the system, support the finding that [he] was aware of his lack of authorization.

People v. Puesan, supra.  

As to Puesan’s argument that he did not access computer material, the court noted that under New York Penal Law § 156.00[5], computer material consists of computer data or a computer program that “`is not and is not intended to be available to anyone other than the person . . . rightfully in possession’” of it and that “accords or may accord such rightful possessors an advantage over competitors or other persons who do not have knowledge or the benefit thereof’”.  People v. Puesan, supra (quoting §156.00[5]). 

The court explained that by using log-in information and passwords obtained through his use of the keystroke-logging program Puesan was able to obtain information that was not meant “to be available to anyone but Time Warner and its “authorized employees”.  People v. Puesan, supra.  It also found that the information was the “sort of information businesses have an interest in protecting and keeping away from competitors.”  People v. Puesan, supra.   It therefore found the evidence supported Puesan’s convictions for computer trespass.  People v. Puesan, supra.  

The court then took up Puesan’s challenge to his convictions for computer tampering, noting that the crime “is committed when the individual uses or accesses a computer without authorization and `intentionally alters in any manner or destroys computer data or a computer program of another person’”.  People v. Puesan, supra (quoting New York Penal Law § 156.20). Since the Appellate Division had already found that “the evidence supports the finding that [Puesan] used or accessed three Time Warner computers without authorization”, the only issue to be resolved was whether it proved beyond a reasonable doubt that he  intentionally altered or destroyed computer data or a computer program.” People v. Puesan, supra.  

The court found that it did:  “The installation of a program that secretly monitors and replicates other users' keystrokes, and self-encrypts if the wrong password is used to attempt access to it, constitutes an alteration of the computer programs or programs on of the computers on which it was installed.” People v. Puesan, supra.   The Appellate Division therefore affirmed his convictions for this offense. People v. Puesan, supra.  

Next, Puesan challenged his conviction for unlawful duplication of computer related material in violation of New York Penal Law § 156.30[2].  People v. Puesan, supra.   The court noted that someone commits this offense when “having no right to do so, he or she copies, reproduces or duplicates in any manner . . . any computer data or computer program with an intent to commit or attempt to commit or further the commission of any felony.” People v. Puesan, supra (quoting § 156.30[2]). Puesan argued that “there is insufficient evidence that he duplicated or copied computer materials.”  People v. Puesan, supra.   The Appellate Division, however, found that the act of installing

a keystroke logging program to reproduce other employees' user ID's and passwords amounts to arranging for the duplication of that log-in information, to which [Puesan] alone gained access. The finding that [he] arranged for the duplication of the user log-in information in furtherance of his commission of the felony of computer trespass is fully supported by the evidence.

People v. Puesan, supra.  

Finally, Puesan challenged his conviction for criminal possession of computer related material.  People v. Puesan, supra.  One is guilty of this offense when he/she “having no right to do so,” knowingly possesses, “in any form, any copy, reproduction or duplicate of any computer data or computer program which was copied, reproduced or duplicated in violation of [New York Penal Law §] 156.30 . . . with intent to benefit himself or a person other than an owner thereof.”  New York Penal Law § 156.35.  Puesan argued that “it was not proven that he `possessed’ computer related materials with the intent to `benefit’ himself”.   People v. Puesan, supra.

The Appellate Division did not agree.  It noted, first, that it had already “determined that there is legally sufficient evidence to establish that [Puesan] arranged for the duplication of computer data in violation of Penal Law § 156.30”.  People v. Puesan, supra. The court then found that there

is no requirement that [Puesan] physically, tangibly possess the copies or duplicates of the information stored by the Winvestigator program; the statute expressly states that possession `in any form’ is sufficient. Since [he] alone had access to and exercised control over the information Winvestigator duplicated, it follows that he constructively possessed such duplicated materials.

As to whether his possession of the illicitly duplicated computer data was `with intent to benefit himself or a person other than an owner thereof,’ [Puesan’s] expressed desire to gain access to Time Warner's CSG program, as well as the actions he took to gain that access, permit the inference that he intended to benefit either himself or someone else with the information he could obtain from the CSG system.

People v. Puesan, supra.

The court therefore affirmed his conviction and sentence on all charges. People v. Puesan, supra.  If you are interested, you can find a press release on the case here.