State v. Morri

928 F.2d 504 (2nd Cir. 1991)

Facts

D was a first-year graduate student in Cornell University's computer science Ph.D. program. From undergraduate work, at Harvard and in various jobs he had acquired significant computer experience and expertise. D was given an account on the computer at the Computer Science Division. This account gave him explicit authorization to use computers at Cornell. D engaged in various discussions with fellow graduate students about the security of computer networks and his ability to penetrate it. D began work on a computer program, later known worm program. The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that D had discovered. D designed the program to spread across a national network of computers after being inserted at one computer location connected to the network. D released the worm into the Internet. D designed the program to spread widely without drawing attention to itself. The worm was supposed to occupy little computer operation time, and thus not interfere with normal use of the computers. Morris programmed the worm to make it difficult to detect and read so that other programmers would not be able to 'kill' the worm easily. D also made sure that the worm did not copy itself onto a computer that already had a copy. The worm to 'asked' each computer whether it already had a copy of the worm. D was also concerned that other programmers could kill the worm by programming their own computers to falsely respond 'yes' to the question. To circumvent this protection, D programmed the worm to duplicate itself every seventh time it received a 'yes' response. As it turned out, Morris underestimated the number of times a computer would be asked the question, and his one-out-of-seven ratio resulted in far more copying than he had anticipated. The worm was also designed so that it would be killed when a computer was shut down, an event that typically occurs once every week or two. This would have prevented the worm from accumulating on one computer, had Morris correctly estimated the likely rate of reinfection. D released the worm from a computer at the Massachusetts Institute of Technology selected to disguise the fact that the worm came from D at Cornell. D soon discovered that the worm was replicating and reinfecting machines at a much faster rate than he had anticipated. Ultimately, many machines at locations around the country either crashed or became 'catatonic.' D eventually sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection. But the network was so clogged that the message did not get through. Computers were affected at numerous installations, including leading universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000. D was found guilty of violating 18 U.S.C. § 1030(a)(5)(A). He was sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision. D appealed. The issues raised are (1) whether the Government must prove not only that the defendant intended to access a federal interest computer, but also that the defendant intended to prevent authorized use of the computer's information and thereby cause loss; and (2) what satisfies the statutory requirement of 'access without authorization.'