Electronic Mail. Unauthorized Access to Computer System.
This court concluded that in determining the number of offenses committed under G. L. c. 266, s. 120F, which prohibits unauthorized access to a computer system, each unauthorized "login" to a computer system constitutes a separate offense, and the number of documents accessed during any given "login" is not relevant in determining the number of convictions [247-248]; thus, multiple convictions of unauthorized access to a computer system in violation of G. L. c. 266, s. 120F, were not warranted where the evidence presented at a criminal trial, although proving that the defendant had gained unauthorized access to a computer system on at least one occasion, was insufficient to enable the jury to determine how many times the defendant had done so [248-252].
COMPLAINT received and sworn to in the Quincy Division of the District Court Department on January 22, 2004.
The case was tried before Paul V. Buckley, J.
William A. Korman for the defendant.
Michael J. Markoff, Special Assistant District Attorney, for the Commonwealth.
DREBEN, J. After a jury trial, the defendant, who appeared pro se, was convicted of fifteen counts of unauthorized access to a computer system (G. L. c. 266, § 120F) and of one count of criminal harassment (G. L. c. 265, § 43A [a]). On appeal, now represented by counsel, the defendant does not contest the conviction for harassment. What he claims is that "[a]lthough the Commonwealth may have proved that unauthorized access to a computer system occurred on at least one occasion, the Commonwealth failed to prove that the elements of unauthorized access occurred fifteen separate times." We agree that the
evidence presented to the jury did not warrant fifteen convictions.
Because of a lack of direct authority discussing how the number of offenses under G. L. c. 266, § 120F, is to be determined, we will address that issue prior to discussing the particular facts here involved. The statute describes the offense as follows:
"Whoever, without authorization, knowingly accesses a computer system by any means, or after gaining access to a computer system by any means knows that such access is not authorized and fails to terminate such access, shall be punished by imprisonment in the house of correction for not more than thirty days or by a fine of not more than one thousand dollars, or both.
"The requirement of a password or other authentication to gain access shall constitute notice that access is limited to authorized users." [Note 1]
G. L. c. 266, § 120F, inserted by St. 1994, c. 168, § 3.
The defendant and the Commonwealth agree on two principles: one, that each unauthorized "login" [Note 2] to a computer system constitutes a separate offense, and two, that the number of documents accessed upon any given "login" is not relevant in determining the number of convictions. We are in accord.
The first principle that each separate unauthorized "login" to a computer system is a separate offense finds support in Ebeling v. Morgan, 237 U.S. 625, 629 (1915). There, the defendant was charged with numerous counts under § 189 of the Criminal Code [Note 3] providing penalties for "[w]hoever shall tear, cut, or otherwise injure any mail bag, pouch, or other thing used or designed for use in the conveyance of the mail . . . ." The Supreme Court held that the offense as to each separate bag was complete when that bag was cut. Similarly, here, the offense
is complete as to each separate act of gaining unauthorized access (e.g., by "login") to a computer system.
The second principle is that each unauthorized "login" to a computer system must be distinguished from the subsequent accessing of individual documents during that "login." In Commonwealth v. Donovan, 395 Mass. 20 , 21-23 (1985) (Donovan), the defendants attached a "phony" night deposit box to a bank and received deposits from seven different bank customers. The jury found the defendants guilty on seven indictments for larceny. In reversing and holding that there was only one larceny, the Supreme Judicial Court quoted from State v. Myers, 407 A.2d 307, 309 (Me. 1979), in turn quoting from 2 Anderson, Wharton's Criminal Law & Procedure § 451 (1957): "The stealing of property from different owners at the same time and at the same place constitutes but one larceny." Donovan, 395 Mass. at 30. The Donovan court considered analogous the cases interpreting 18 U.S.C. § 1708 (1982), the Federal statute proscribing theft from the United States mail. Those cases, cited in Donovan, 395 Mass. at 30-31, hold that taking several letters from a mail depository simultaneously is one criminal act even though the letters are separate. Thus, whether a defendant should be charged with multiple counts of mail theft or a single count depends largely on whether the defendant stole multiple letters or packages at the same time or at different times. See Johnston v. Lagomarsino, 88 F.2d 86, 88 (9th Cir. 1937). We think the same reasoning applies here: when a defendant, without authorization, logs into a computer system and during that one "login" looks at, prints, copies, or otherwise accesses multiple documents, there is only one violation.
We now turn to the evidence elicited at the defendant's trial. The defendant and his former wife, Doris, had gone through a bitter divorce, and at the time of trial were still contesting the question of custody of their daughter. As the harassment conviction is not being appealed, we need not detail the events that led to that conviction other than to state that relations between the defendant and Doris remained hostile.
The unauthorized access to Doris's electronic mail messages (e-mail) was disclosed when the defendant, on August 6, 2003, sent an e-mail to Nancy, the former wife of Doris's fiancé, David. That e-mail included the following:
"I found you through emails shared by David to Doris. My daughter Lauren, informed me of my ex wife's password which has now been changed. I have in my possession, three emails from you to David, that David shared with Doris. The original email and his edited reply. I would gladly share them with you but they are on paper, not in a file. If you wish to know more, I would gladly give you the dates and details of them."
Nancy was a witness at trial. She testified that, at her request, she received from the defendant copies of numerous e-mails containing highly personal communications between David and Doris as well as one from her (Nancy's) daughter to David, who is her daughter's father.
Copies of the e-mails from the defendant to Nancy and of the eighteen e-mail printouts mailed to her by the defendant were exhibits at trial. [Note 4] On the bottom right-hand corner of each of the eighteen e-mail printouts appears a mechanically printed date. The earliest corner date is "3/30/03" and the latest is "7/14/03." Several printouts have the same date in the bottom right-hand corner. Thirteen different corner dates appear on the copies of the eighteen printouts the defendant sent to Nancy.
The fifteen counts of the criminal complaint charging the defendant with violations of G. L. c. 266, § 120F, were identical and stated that the defendant
"on 11/07/2002 THRU 10/31/2003: (1) without authorization, did knowingly access a computer system; or (2) after gaining access to a computer system, and knowing that such access was not authorized, did fail to terminate such access, in violation of G. L. c. 266, § 120F. (PENALTY: house of correction not more than 30 days; or not more than $1000 fine; or both.)"
We note that the November 7, 2002, date is the date of the earliest e-mail between Doris and David that was sent to Nancy. The November 7, 2002, printout has "5/13/03" on the bottom right-hand corner.
At trial the corner dates were never mentioned by the prosecutor, the defendant, the judge, or by any of the witnesses. The number of violations was hardly mentioned. The prosecutor in her opening spoke of the pattern of conduct directed against Doris Piersall and stated, "And I want you to keep in mind the unauthorized access of a computer system. Forget that there's fifteen counts. You will hear testimony of how many times and what's going on." At trial there was no testimony concerning multiple accesses or "logins" by the defendant; only the e-mails were discussed. In her closing, the prosecutor did not mention multiple accesses. Her only mention of numbers was
"Well, he downloaded her emails. Eighteen of them. Take a look at them. . . . They're love notes. . . . And whether or not you taught your four year old daughter your password doesn't give your ex-husband permission to go into your email. That computer system, and download them. All of those emails, and send them to anybody else."
The judge's complete instructions on the computer charges are set forth in the margin. [Note 5] He, too, made no mention of the number of violations or how to determine them. In discussing the verdict slips, he said,
"There will be jury verdict forms, and I've -- I've done this. There's three of them. And they are self-explanatory.
And there is one -- rather than submit to you fifteen on each count, one on each count, I've done one on count one, on the unauthorized access to the computer. So that's on one. And then I've done another form for the remaining counts, two to fifteen. Third, there'll be a jury verdict form for harassment."
In its brief, the Commonwealth points to the corner dates on the printouts and argues that the jury could infer that each date reflects a separate "login." Recognizing that there are only thirteen different corner dates, the Commonwealth urges that the number of the defendant's convictions be reduced to thirteen and that such thirteen convictions be affirmed. One difficulty with that solution is that the jury were never instructed as to how to determine the number of violations. There was no instruction to the jury that they were to consider each "login" as opposed to each e-mail as a separate access. Had there been sufficient evidence of multiple "logins," we would have held that the absence of proper instructions created a substantial risk of a miscarriage of justice entitling the defendant to a new trial.
The difficulty, however, is more serious as we cannot agree that the corner dates alone, without any testimony, expert or otherwise as to their import, provided sufficient evidence of separate "logins." While many jurors may be computer literate, many may not be. Moreover, each corner date may not reflect a separate "login" to the victim's e-mail. [Note 6] There was no evidence permitting the jury to consider each corner date as a separate "login," or to view the occurrence of the same corner date on several printouts as reflecting one "login." Not only was there no discussion of the significance of the corner dates, but the prosecutor made no mention of them and only referred to the eighteen e-mails. It was only the defendant who, in his closing, questioned the number of counts. We consider the evidence presented to the jury to have been insufficient to enable them to determine how many times the defendant gained unauthorized access to a computer system. Accordingly, the multiple convictions must be reversed.
The defendant does not urge that there was insufficient
evidence for conviction of one count of the crime. Indeed, his August 6, 2003, e-mail to Nancy clearly provides sufficient evidence of an unauthorized access.
In conclusion, the judgment of conviction of the first count of unauthorized access to a computer system is affirmed. On counts two through fifteen charging like offenses, the judgments are reversed, the verdicts are set aside, and judgments shall enter for the defendant. The case is remanded to the District Court for a determination whether the sentence imposed on the single conviction for unauthorized access to a computer system is still appropriate [Note 7] and, if not, for vacation of the sentence imposed and for resentencing.
[Note 1] Compare 18 U.S.C. § 1030(a)(5)(A)(ii) and (iii) (Supp. 2003) which, in addition to access, requires that the access result in damage.
[Note 2] By "login," we refer to the statutory language of using a "password or other authentication to gain access" to a computer system.
[Note 3] Act of Mar. 4, 1909, c. 321, § 189, 35 Stat. 1088, 1124 (current version at 18 U.S.C. § 1706 ).
[Note 4] Nancy's testimony on direct examination seemed to indicate that she received the eighteen e-mails electronically and had printed them out. On cross-examination she acknowledged that the printouts had been mailed by the defendant by surface mail.
[Note 5] "Now, you know that there are two -- basically two charges. The major charge is that the Defendant is charged with accessing a computer system without authorization in violation of Section 120F of Chapter 266 of our General Laws.
"Now, in order for the Commonwealth to prove that the Defendant is guilty of this charge, the Commonwealth must prove either of these two theories beyond a reasonable doubt. So there's two theories that you can -- you'll have to use. First theory is, that the Defendant accessed a computer system without authorization, and he did so knowingly. And for the purpose of the statute, a computer system would mean any system that you would have to get into in order to access another computer. I hope that's clear. If it's not you can come back with a question.
"The other theory is, that the Defendant gained access to a computer system by any means, and that he knew after gaining access to the computer system, that that access -- his access was not authorized. And that at that time, he failed to terminate that access.
"Under either theory, the requirement of a password or authentication to gain access, shall constitute notice that access is limited to authorized users."
[Note 6] For example, it is possible that the defendant saved several e-mails during the same "login" and printed them out on different dates.
[Note 7] The judge sentenced the defendant to one year administrative probation on counts one through fifteen; and, on count 16 (harassment), two years administrative probation from and after the probationary term for counts one through fifteen.