U.S. v. Phillips

• Citation: 477 F.3d 215
• Decision Date: 24 January 2007
• Docket Number: No. 05-51271.,05-51271.
• Parties: UNITED STATES of America, Plaintiff-Appellee, v. Christopher Andrew PHILLIPS, Defendant-Appellant.
• Court: United States Courts of Appeals. United States Court of Appeals (5th Circuit)

477 F.3d 215

UNITED STATES of America, Plaintiff-Appellee, v. Christopher Andrew PHILLIPS, Defendant-Appellant.

No. 05-51271.

United States Court of Appeals, Fifth Circuit.

January 24, 2007.

Joseph H. Gay, Jr., Asst. U.S. Atty., Mark Twain Roomberg (argued), San Antonio, TX, for Plaintiff-Appellee.

Terrence W. Kirk (argued), Austin, TX, for Defendant-Appellant.

Appeal from the United States District Court for the Western District of Texas.

Before JONES, Chief Judge, and SMITH and STEWART, Circuit Judges.

EDITH H. JONES, Chief Judge:

Christopher Andrew Phillips ("Phillips") appeals his conviction for intentionally accessing a protected computer without authorization and recklessly causing damage in excess of $5,000, pursuant to the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. §§ 1030(a)(5)(A)(ii) and (B)(i). Phillips alleges that (1) insufficient evidence was presented at trial to support his conviction under § 1030(a)(5)(A)(ii); (2) the district court's jury charge constructively amended the indictment; (3) the district court's failure to include a lesser-included offense instruction in the jury charge was error; and (4) the district court's award of over $170,000 in restitution under 18 U.S.C. § 3663A was erroneous. Finding no reversible error, we AFFIRM.

I. BACKGROUND

Phillips entered the University of Texas at Austin ("UT") in 2001 and was admitted to the Department of Computer Sciences in 2003. Like all incoming UT students, Phillips signed UT's "acceptable use" computer policy, in which he agreed not to perform port scans using his university computer account.¹ Nonetheless, only a few weeks after matriculating, Phillips began using various programs designed to scan computer networks and steal encrypted data and passwords. He succeeded in infiltrating hundreds of computers, including machines belonging to other UT students, private businesses, U.S. Government agencies, and the British Armed Services webserver. In a matter of months, Phillips amassed a veritable informational goldmine by stealing and cataloguing a wide variety of personal and proprietary data, such as credit card numbers, bank account information, student financial aid statements, birth records, passwords, and Social Security numbers.

The scans, however, were soon discovered by UT's Information Security Office ("ISO"), which informed Phillips on three separate occasions that his computer had been detected portscanning hundreds of thousands of external computers for vulnerabilities. Despite several instructions to stop, Phillips continued to scan and infiltrate computers within and without the UT system, daily adding to his database of stolen information.

At around the time ISO issued its first warning in early 2002, Phillips designed a computer program expressly for the purpose of hacking into the UT system via a portal known as the "TXClass Learning Central: A Complete Training Resource for UT Faculty and Staff." TXClass was a "secure" server operated by UT and used by faculty and staff as a resource for enrollment in professional education courses. Authorized users gained access to their TXClass accounts by typing their Social Security numbers in a field on the TXClass website's log-on page. Phillips exploited the vulnerability inherent in this log-on protocol by transmitting a "brute-force attack" program,² which automatically transmitted to the website as many as six Social Security numbers per second, at least some of which would correspond to those of authorized TXClass users.

Initially, Phillips selected ranges of Social Security numbers for individuals born in Texas, but he refined the brute-force attack to include only numbers assigned to the ten most populous Texas counties. When the program hit a valid Social Security number and obtained access to TXClass, it automatically extracted personal information corresponding to that number from the TXClass database and, in effect, provided Phillips a "back door" into UT's main server and unified database. Over a fourteen-month period, Phillips thus gained access to a mother lode of data about more than 45,000 current and prospective students, donors, and alumni.

Phillips's actions hurt the UT computer system. The brute-force attack program proved so invasive — increasing the usual monthly number of unique requests received by TXClass from approximately 20,000 to as many as 1,200,000 — that it caused the UT computer system to crash several times in early 2003. Hundreds of UT web applications became temporarily inaccessible, including the university's online library, payroll, accounting, admissions, and medical records. UT spent over $122,000 to assess the damage and $60,000 to notify victims that their personal information and Social Security numbers had been illicitly obtained.

After discovering the incursions, UT contacted the Secret Service, and the investigation led to Phillips. Phillips admitted that he designed the brute-force attack program to obtain data about individuals from the UT system, but he disavowed that he intended to use or sell the information.

Phillips was indicted and convicted after a jury trial on one count of computer fraud pursuant to 18 U.S.C. § 1030(a)(5)(A)(ii) and (B)(i), and one count of possession of an identification document containing stolen Social Security numbers pursuant to 18 U.S.C. § 1028(a)(6). Phillips timely filed a motion for judgment of acquittal challenging, unsuccessfully, the sufficiency of the evidence regarding the loss amount used to support the computer fraud conviction, and asserting, correctly, that his conviction under § 1028(a)(6) violated the Ex Post Facto Clause.³ He was sentenced to five years' probation, five hundred hours of community service, and restitution of $170,056. Phillips appealed.

II. DISCUSSION

A. Sufficiency of the Evidence

Phillips asserts that the Government failed to produce sufficient evidence that he "intentionally access[ed] a protected computer without authorization" under § 1030(a)(5)(A)(ii).

Although Phillips timely filed a motion for judgment of acquittal, see FED. R.CRIM.P. 29, the motion raised only the narrow issue whether the loss or damage caused by his online exploits exceeded $5,000.00. See § 1030(a)(5)(B)(i). Both the Government's opposition memorandum and the district court's ruling on the motion addressed this one issue. Accordingly, "[w]here, as here, a defendant asserts specific grounds for a specific element of a specific count for a Rule 29 motion, he waives all others for that specific count." United States v. Herrera, 313 F.3d 882, 884 (5th Cir.2002) (en banc), cert. denied, 537 U.S. 1242, 123 S.Ct. 1375, 155 L.Ed.2d 213 (2003) (emphasis in original). We thus review his newly raised claim that there was insufficient evidence of the statutorily required mens rea under § 1030(a)(5)(A)(ii) only for a "manifest miscarriage of justice." United States v. Green, 293 F.3d 886, 895 (5th Cir.2002) (internal quotation marks omitted). Under this exacting standard of review, a claim of evidentiary insufficiency will be rejected unless "the record is devoid of evidence pointing to guilt" or if the evidence is "so tenuous that a conviction is shocking." United States v. Avants, 367 F.3d 433, 449 (5th Cir.2004).

Phillips's insufficiency argument takes two parts: that the Government failed to prove (1) he gained access to the TXClass website without authorization and (2) he did so intentionally.

With regard to his authorization, the CFAA does not define the term, but it does clearly differentiate between unauthorized users and those who "exceed[] authorized access." See § 1030(e)(6) (defining "exceeding authorized access" as "access[ing] a computer with authorization and ... us[ing] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter ..."); see also §§ 1030(a)(1), (a)(2), (a)(4). Several subsections of the CFAA apply exclusively to users who lack access authorization altogether. See, e.g., §§ 1030(a)(3), (5)(A)(i), (5)(A)(ii), (5)(A)(iii). In conditioning the nature of the intrusion in part on the level of authorization a computer user possesses, Congress distinguished between "insiders, who are authorized to access a computer," and "outside hackers who break into a computer." See S.REP. No. 104-357, at 11 (1996); see also S.REP. No. 99-432, at 10, as reprinted in 1986 U.S.C.C.A.N. 2479, at 2488 (1986) (stating that §§ 1030(a)(3) and (a)(5) "will be aimed at `outsiders'").

Courts have therefore typically analyzed the scope of a user's authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user. Applying such an intended-use analysis, in United States v. Morris, 928 F.2d 504 (2d Cir.1991), a case involving an invasive procedure that prefigured modern portscanning, the Second Circuit held that transmission of an internet worm designed "to demonstrate the inadequacies of current security measures on computer networks by exploiting ... security defects" was sufficient to permit a jury to find unauthorized access within the meaning of § 1030(a)(5)(A). Morris, 928 F.2d at 505. The Morris court determined that conduct, like "password guessing" or finding "holes in . . . programs," that uses computer systems not "in any way related to their intended function" amounts to obtaining unauthorized access. Id. at 510; see also Creative Computing v. Getloaded.com LLC, 386 F.3d 930 (9th Cir.2004) (internet site administrator's misappropriation of login names and passwords to obtain access to competitor's website violated CFAA); Theofel v. Farey-Jones, 359 F.3d 1066, 1074 (9th Cir.), cert. denied, 543 U.S. 813, 125 S.Ct. 48, 160 L.Ed.2d 17 (2004) (use of an authorized third-party's password by an outside hacker to gain access to a mail server fell within "the paradigm of what [Congress] sought to prohibit [under...