United States v. Morris
Encyclopedia
United States v. Morris was an appeal of the conviction of Robert Tappan Morris
for creating and releasing the Morris worm, one of the first Internet-based worms
. This case resulted in the first conviction under the Computer Fraud and Abuse Act
. In the process, the dispute clarified much of the language used in the law, which had been heavily revised in a number of updates passed in the years after its initial drafting. Also clarified was the concept of "unauthorized access," which is central in the United States' computer security laws.
was a Cornell
student, who began work in 1988 on an early Internet
worm. He had been given explicit access to a Cornell computer account upon entering the school, and used this access to develop his worm. Morris released the worm from the MIT
, in an attempt to disguise its source. The worm spread through four mechanisms:
The worm was designed so that it would not spread to computers that it had already infected. To prevent computers from defending against this by pretending to have the worm, however, it would still infect an already infected computer one out of seven times. The worm was also designed so that it would be erased when an infected computer was shut down, thus preventing multiple infections from becoming problematic. Morris' underestimation of the rate of reinfection caused this safeguard to be ineffective, and "tens of thousands" of computers were rendered catatonic by repeated infections. It was estimated that between $200 and $53,000 was required per infected facility to clean up after the worm.
Morris was found guilty by the United States District Court for the Northern District of New York
of violating 18 U.S.C. 1030(a)(5)(A), sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the cost of his supervision.
(5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby
(A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period; ...
Morris argued that this did not apply to him, as the Government could not conclusively prove that he had intended to cause damage to a Federal interest computer. Federal interest computers are defined as any that participate in national or international commerce, or that are used in a federal or governmental institution. The Government disagreed, stating that since a comma separated the "intentionally" phrase from the rest of the section, it did not necessarily apply. This use of punctuation to separate adverbs has precedents in Burlington No. R. Co. v. Okla. Tax Comm'n and Consumer Product Safety Comm'n v. GTE Sylvania, Inc.
The court also took into consideration the language used in previous versions of the law to determine the intent of Congress. In the 1986 amendment to the law, section 1030(a)(2) had its mental state requirement changed from "knowingly" to "intentionally." This was done in order to disallow purposeful unauthorized access, not "mistaken, inadvertent, or careless" acts. The court reasoned that since this "intentionally" phrase was inserted in to the law in order to avoid punishing users that had accidentally accessed a computer they did not have authorization to, it applied strictly to the "accesses" clause, not the "damages" one. There is no evidence that Congress intended to make it legal to accidentally damage another computer, therefore the "intentionally" specification was not made there. Additionally, the Government suggested that many other subsections of 1030, specifically (a)(1), continue to repeat the mental state requirement before each clause, indicating that the lack of such repetition in (a)(5)(A) is indicative of the short reach of the "intentionally" adverb.
To contest this claim, Morris cited a different section of the Senate Report: "[t]he new subsection 1030(a)(5) to be created by the bill is designed to penalize those who intentionally alter, damage, or destroy certain computerized data belonging to another." The court however, found the Government's evidence of the changing language of the statute to be more convincing.
, Harvard
, and Berkeley, by releasing the worm he had simply exceeded authorized access, not gained unauthorized access. For this reason, he theorized that section (a)(3), not (a)(5)(A), properly covered him. This defense is based in another section of the Senate report, which stated that the Computer Fraud and Abuse Act would be aimed at "outsiders" (people not authorized to use federal interest computers). Because Morris did have access to computers of this nature, he stated that his actions were not completely unauthorized. However, the aforementioned Senate report also states that the law applies "where the offender's act of trespass is interdepartmental in nature." The court reasoned that since Morris' worm reached computers spanning U.S. government departments, including military ones, 18 U.S.C. 1030 properly applied to him.
The court also pointed out that since Morris used the sendmail and finger programs in a way they were not intended to be used, his "exceeded authorization" defense was further weakened. Since Morris only used these programs because they had security holes he could exploit to gain access to computers he could not otherwise access, this use exemplifies "unauthorized access". The fact that the worm guessed passwords to break in to other systems further highlights this point.
This case affirmed the strength of the Computer Fraud and Abuse Act. Prior to this decision, it had been assumed that the Act required intent to cause damage - which was thought to be very hard to prove. The ruling here demonstrated that this was not the case.
Robert Tappan Morris
Robert Tappan Morris, , is an American computer scientist, best known for creating the Morris Worm in 1988, considered the first computer worm on the Internet - and subsequently becoming the first person convicted under the Computer Fraud and Abuse Act.He went on to co-found the online store...
for creating and releasing the Morris worm, one of the first Internet-based worms
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
. This case resulted in the first conviction under the Computer Fraud and Abuse Act
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
. In the process, the dispute clarified much of the language used in the law, which had been heavily revised in a number of updates passed in the years after its initial drafting. Also clarified was the concept of "unauthorized access," which is central in the United States' computer security laws.
Case background
Robert Tappan MorrisRobert Tappan Morris
Robert Tappan Morris, , is an American computer scientist, best known for creating the Morris Worm in 1988, considered the first computer worm on the Internet - and subsequently becoming the first person convicted under the Computer Fraud and Abuse Act.He went on to co-found the online store...
was a Cornell
Cornell University
Cornell University is an Ivy League university located in Ithaca, New York, United States. It is a private land-grant university, receiving annual funding from the State of New York for certain educational missions...
student, who began work in 1988 on an early Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
worm. He had been given explicit access to a Cornell computer account upon entering the school, and used this access to develop his worm. Morris released the worm from the MIT
Massachusetts Institute of Technology
The Massachusetts Institute of Technology is a private research university located in Cambridge, Massachusetts. MIT has five schools and one college, containing a total of 32 academic departments, with a strong emphasis on scientific and technological education and research.Founded in 1861 in...
, in an attempt to disguise its source. The worm spread through four mechanisms:
- Through a bug in SendmailSendmailSendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....
, an emailEmailElectronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
program. - Through a bug in FingerFinger protocolIn computer networking, the Name/Finger protocol and the Finger user information protocol are simple network protocols for the exchange of human-oriented status and user information.-Name/Finger protocol:...
, a program used to find out information about other users on networked computers. - Through a "trusted hosts" feature, which allows users from one system to use another system without a password.
- Through a password brute-force attack.
The worm was designed so that it would not spread to computers that it had already infected. To prevent computers from defending against this by pretending to have the worm, however, it would still infect an already infected computer one out of seven times. The worm was also designed so that it would be erased when an infected computer was shut down, thus preventing multiple infections from becoming problematic. Morris' underestimation of the rate of reinfection caused this safeguard to be ineffective, and "tens of thousands" of computers were rendered catatonic by repeated infections. It was estimated that between $200 and $53,000 was required per infected facility to clean up after the worm.
Morris was found guilty by the United States District Court for the Northern District of New York
United States District Court for the Northern District of New York
The United States District Court for the Northern District of New York serves one of the 94 judicial districts in the United States and one of four in the state of New York. The U.S. Attorney for the district is Richard S. Hartunian...
of violating 18 U.S.C. 1030(a)(5)(A), sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the cost of his supervision.
Discussion
Legal discourse took place on three main issues: whether Morris had to have intended to cause damage, whether Morris really had gained unauthorized access, and whether the District Court had properly informed the jury of the subtleties of the case.Intent to cause damage
As it read in 1991, , part of the Computer Fraud and Abuse Act, covered anyone who:(5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby
(A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period; ...
Morris argued that this did not apply to him, as the Government could not conclusively prove that he had intended to cause damage to a Federal interest computer. Federal interest computers are defined as any that participate in national or international commerce, or that are used in a federal or governmental institution. The Government disagreed, stating that since a comma separated the "intentionally" phrase from the rest of the section, it did not necessarily apply. This use of punctuation to separate adverbs has precedents in Burlington No. R. Co. v. Okla. Tax Comm'n and Consumer Product Safety Comm'n v. GTE Sylvania, Inc.
The court also took into consideration the language used in previous versions of the law to determine the intent of Congress. In the 1986 amendment to the law, section 1030(a)(2) had its mental state requirement changed from "knowingly" to "intentionally." This was done in order to disallow purposeful unauthorized access, not "mistaken, inadvertent, or careless" acts. The court reasoned that since this "intentionally" phrase was inserted in to the law in order to avoid punishing users that had accidentally accessed a computer they did not have authorization to, it applied strictly to the "accesses" clause, not the "damages" one. There is no evidence that Congress intended to make it legal to accidentally damage another computer, therefore the "intentionally" specification was not made there. Additionally, the Government suggested that many other subsections of 1030, specifically (a)(1), continue to repeat the mental state requirement before each clause, indicating that the lack of such repetition in (a)(5)(A) is indicative of the short reach of the "intentionally" adverb.
To contest this claim, Morris cited a different section of the Senate Report: "[t]he new subsection 1030(a)(5) to be created by the bill is designed to penalize those who intentionally alter, damage, or destroy certain computerized data belonging to another." The court however, found the Government's evidence of the changing language of the statute to be more convincing.
Unauthorized access
Morris argued that, since he was given access to computers at CornellCornell University
Cornell University is an Ivy League university located in Ithaca, New York, United States. It is a private land-grant university, receiving annual funding from the State of New York for certain educational missions...
, Harvard
Harvard University
Harvard University is a private Ivy League university located in Cambridge, Massachusetts, United States, established in 1636 by the Massachusetts legislature. Harvard is the oldest institution of higher learning in the United States and the first corporation chartered in the country...
, and Berkeley, by releasing the worm he had simply exceeded authorized access, not gained unauthorized access. For this reason, he theorized that section (a)(3), not (a)(5)(A), properly covered him. This defense is based in another section of the Senate report, which stated that the Computer Fraud and Abuse Act would be aimed at "outsiders" (people not authorized to use federal interest computers). Because Morris did have access to computers of this nature, he stated that his actions were not completely unauthorized. However, the aforementioned Senate report also states that the law applies "where the offender's act of trespass is interdepartmental in nature." The court reasoned that since Morris' worm reached computers spanning U.S. government departments, including military ones, 18 U.S.C. 1030 properly applied to him.
The court also pointed out that since Morris used the sendmail and finger programs in a way they were not intended to be used, his "exceeded authorization" defense was further weakened. Since Morris only used these programs because they had security holes he could exploit to gain access to computers he could not otherwise access, this use exemplifies "unauthorized access". The fact that the worm guessed passwords to break in to other systems further highlights this point.
Proper instruction of the jury
Morris claimed that the District Court improperly educated the jury on the specifics of his case. First, he complained that the District Court had not provided a definition of "authorization" to the jury. The Court had stated that "authorization" was of common usage and not required to be defined. The Appellate Court in this case agreed, citing precedent. Morris also contended that the District Court wrongly did not instruct the jury on "exceeding authorized access" using his proposed definition. Again, the Appellate Court agreed with the District Court's decision, stating that extra definition would be potentially confusing, and that Morris's proposed instruction was incorrect. Additionally, the term "exceeding authorized access" implies that it is less serious than "unauthorized access," but even if this was the case, Morris was liable under many parts of the Computer Fraud and Abuse Act.Court's decision
The US Court of Appeals, Second Circuit affirmed the decision of the lower District Court, in which Morris was found guilty of violating 18 U.S.C. 1030(a)(5)(A).Case reception
In 1996 the Computer Fraud and Abuse Act was amended again to clarify the intent problems that made up the majority of U.S. v. Morris. The adverbs "knowingly" and "intentionally" were inserted in more places in the statute, in an attempt to make litigation with the law simpler in the future.This case affirmed the strength of the Computer Fraud and Abuse Act. Prior to this decision, it had been assumed that the Act required intent to cause damage - which was thought to be very hard to prove. The ruling here demonstrated that this was not the case.