U.S. v. John

• Decision Date: 09 February 2010
• Docket Number: No. 08-10459.,08-10459.
• Citation: 597 F.3d 263
• Parties: UNITED STATES of America, Plaintiff-Appellee, v. Dimetriace Eva-Lavon JOHN, Defendant-Appellant.
• Court: U.S. Court of Appeals — Fifth Circuit

597 F.3d 263

UNITED STATES of America, Plaintiff-Appellee, v. Dimetriace Eva-Lavon JOHN, Defendant-Appellant.

No. 08-10459.

United States Court of Appeals, Fifth Circuit.

February 9, 2010.

Marc Woodson Barta, Asst. U.S. Atty. (argued), Dallas, TX, for U.S.

Kevin Joel Page (argued), Fed. Pub. Def., Dallas, TX, for John.

Appeal from the United States District Court for the Northern District of Texas.

Before SMITH, OWEN and HAYNES, Circuit Judges.

OWEN, Circuit Judge:

Dimetriace Eva-Lavon John was found guilty by a jury on all counts of a seven-count indictment arising out of her involvement in a scheme to incur fraudulent charges on accounts held by various Citigroup customers. John challenges her convictions and sentence in this appeal. We affirm the convictions but vacate her sentence and remand for further proceedings.

I

Dimetriace Eva-Lavon John was employed as an account manager at Citigroup for approximately three years. By virtue of her position, she had access to Citigroup's internal computer system and customer account information contained in it. In September 2005, John provided Leland Riley, her half-brother, with customer account information enabling Riley and other confederates to incur fraudulent charges.

John accessed and printed information pertaining to at least seventy-six corporate customer accounts and provided it to Riley. The information was in the form of either scanned images of checks written by the account holders or printouts of computer screens containing detailed account information. Before he was apprehended, Riley and cohorts used information John had provided to incur fraudulent charges on four different accounts.

A grand jury returned a seven-count indictment against John. Count 1 charged John with conspiracy to commit access device fraud in violation of 18 U.S.C. § 371. Counts 2 through 5 charged John with fraud in connection with an access device and aiding and abetting, in violation of 18 U.S.C. §§ 1029(a)(5) and (2). Counts 6 and 7 charged John with exceeding authorized access to a protected computer in violation of 18 U.S.C. §§ 1030(a)(2)(A) and (C). A jury found John guilty on all seven counts.

A Presentence Report (PSR) concluded that the Sentencing Guideline applicable to the conspiracy count was § 2X1.1(a),¹ which provides that the base offense level is that applicable to the substantive offense. The substantive offense underlying the conspiracy count—a violation of 18 U.S.C. § 1029(a)(5)—is governed by § 2B1.1 of the Guidelines, which provides for a base offense level of six. However, in calculating the advisory Guidelines sentencing range, the PSR recommended that the base offense level be increased by 16 levels because the PSR concluded that John intended to cause a loss of approximately $1,451,865. The PSR also determined that John intended to obtain account holders' personal information and accordingly added two levels pursuant to § 2B1.1(b)(14)(A)(i)(II). After other adjustments that are not at issue in this appeal, the PSR arrived at a final base offense level of thirty. John had no criminal history, and the resulting advisory Guidelines range of imprisonment was 97-121 months. The district court ultimately sentenced John to 108 months' imprisonment.

II

John has raised several issues regarding her convictions. Her first contention is that the evidence was insufficient to support her convictions on Counts 6 and 7 under 18 U.S.C. § 1030(a)(2) for exceeding authorized access to Citigroup's computers. She candidly acknowledges that at trial her counsel failed to renew a motion for acquittal at the close of the evidence and that we therefore may only reverse her convictions on these counts "if there was a `manifest miscarriage of justice,' which would occur if there is no evidence of the defendant's guilt or `the evidence on a key element of the offense was so tenuous that a conviction would be shocking.'"²

Whether John's convictions on Counts 6 and 7 may be sustained depends on the proper interpretation of "exceeds authorized access" as used in § 1030(a)(2) and defined in § 1030(e)(6).

John was convicted of violating § 1030(a)(2), which provides:

(a) Whoever—

...

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); ...

shall be punished as provided in subsection (c) of this section.³

The term "exceeds authorized access" is defined in § 1030(e)(6): "the term `exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter...."

John argues that she was authorized to use Citigroup's computers and to view and print information regarding accounts in the course of her official duties. The evidence, she contends, reflects only that she was not permitted to use the information to which she had access to perpetrate a fraud, she could make changes to account information only in compliance with a customer's request, and she was not permitted to take material she printed regarding accounts from her office building. She asserts that her mental state or motive at the time she accessed or printed account information cannot determine whether she violated 18 U.S.C. § 1030(a)(2). Specifically, she argues that the statute does not prohibit unlawful use of material that she was authorized to access through authorized use of a computer. The statute only prohibits using authorized access to obtain information that she is not entitled to obtain or alter information that she is not entitled to alter, John contends.

We first note that John was not charged in Counts 6 or 7 with altering information in Citigroup's computer system. She was charged with "exceeding authorized access" and obtaining confidential Citigroup and Home Depot customer account information.

The statute at issue prohibits both accessing a computer "without authorization" and "exceed[ing] authorized access" to obtain specified information.⁴ The statute does not define "authorized," or "authorization," which is used in the definition of "exceeds authorized access."⁵ The question before us is whether "authorized access" or "authorization" may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system. We conclude that it may, at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime.

To give but one example, an employer may "authorize" employees to utilize computers for any lawful purpose but not for unlawful purposes and only in furtherance of the employer's business. An employee would "exceed[] authorized access" if he or she used that access to obtain or steal information as part of a criminal scheme.

In United States v. Phillips, this court analyzed whether a criminal defendant had accessed university computers "without authorization" in violation of § 1030(a)(5)(A)(ii), as distinguished from "exceed[ing] authorized access," and we recognized that "[c]ourts have ... typically analyzed the scope of a user's authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user."⁶ We applied this "intended-use analysis" to conclude that a student who used his privilege of access to a university's computer was not authorized to access parts of the system to which he had not been given a password.⁷ John's situation differs from that of the student in Phillips because John was authorized to view and print all of the information that she accessed and that she provided to Riley. However, John's use of Citigroup's computer system to perpetrate fraud was not an intended use of that system.

John's use of Citigroup's computer system to perpetrate a fraud was also contrary to Citigroup employee policies, of which she was aware. The First Circuit has held that an employment agreement can establish the parameters of "authorized" access. In EF Cultural Travel BV v. Explorica, Inc., the plaintiffs brought a civil action under the Computer Fraud and Abuse Act (CFAA)⁸ seeking injunctive relief against former employees who had become competitors.⁹ The former employees used their knowledge of codes that they had obtained while in their former employment to create a high-speed computer program to mine their former employer's public website for pricing information.¹⁰ The former employees had entered into a broad confidentiality agreement with their former employers protecting proprietary information.¹¹ The First Circuit held "that because of the broad confidentiality agreement [the former employees'] actions `exceed[ed] authorized access'" within the meaning of § 1030(a)(4).¹² The court reasoned, "[the former employees'] wholesale use of EF's travel codes to facilitate gathering EF's prices from its website reeks of use—and, indeed, abuse—of proprietary information that goes beyond any authorized use of EF's website."¹³ The court continued, "[i]f EF's allegations are proven, it will likely prove that whatever authorization [former employees] had to navigate around EF's site (even in a competitive vein), [they] exceeded that authorization by providing proprietary information and know-how to [a programmer] to create the scraper."¹⁴

While we do not necessarily agree that violating a confidentiality agreement under circumstances such as those in EF Cultural Travel BV would give rise to criminal culpability, we do agree with...