USA v. Andrew Auernheimer
Filing
59
ECF FILER: ELECTRONIC REPLY BRIEF on behalf of Appellant Andrew Auernheimer, filed. Certificate of Service dated 10/25/2013 by ECF. (HMF)
NO. 13-1816
UNITED STATES COURT OF APPEALS
FOR THE THIRD CIRCUIT
UNITED STATES OF AMERICA,
PLAINTIFF-APPELLEE,
V.
ANDREW AUERNHEIMER,
DEFENDANT-APPELLANT.
On Appeal From The United States District Court
For The District of New Jersey
Case No. 2:11-cr-00470-SDW-1
Honorable Susan D. Wigenton, District Judge
APPELLANT’S REPLY BRIEF
Tor B. Ekeland
Mark H. Jaffe
TOR EKELAND, P.C.
155 Water Street
Brooklyn, NY 11201
Tel.: (718) 285-9343
Email: tor@torekeland.com
Orin S. Kerr
2000 H Street, N.W.
Washington, DC 20052
Tel.: (202) 994-4775
Email: okerr@law.gwu.edu
Marcia Hofmann
LAW OFFICE OF MARCIA HOFMANN
25 Taylor Street
San Francisco, CA 94102
Tel.: (415) 830-6664
Email: marcia@marciahofmann.com
Hanni M. Fakhoury
ELECTRONIC FRONTIER FOUNDATION
815 Eddy Street
San Francisco, CA 94109
Tel.: (415) 436-9333
Email: hanni@eff.org
Counsel for DefendantAppellant Andrew Auernheimer
TABLE OF CONTENTS
SUMMARY OF ARGUMENT ................................................................................ 1
ARGUMENT ............................................................................................................ 1
I.
AUERNHEIMER AND SPITLER DID NOT ACCESS AT&T’S
COMPUTERS WITHOUT AUTHORIZATION ................................. 1
A.
B.
ICC-IDs are not “Passwords.” .................................................... 3
C.
Spitler’s Program Did Not Illegally “Impersonate” iPad
Owners........................................................................................ 6
D.
Whether Spitler used “Expertise” To Design the Program Is
Irrelevant to Whether the Program Accessed AT&T’s
Computer Without Authorization. .............................................. 7
E.
Spitler’s Program Was Not Illegal Because It Set the User
Agent to that of an iPad. ........................................................... 13
F.
II.
The Court Cannot Defer to the Jury’s Finding That the Email
Addresses Were Protected and Unavailable to the Public
Because the Jury Made No Such Finding................................... 1
Substantial Authority Acknowledges the Ambiguity of
‘Unathorized Access’ Under the CFAA. .................................. 16
IF AUERNHEIMER CONSPIRED TO VIOLATE THE CFAA, THE
VIOLATION WAS ONLY A MISDEMEANOR. ............................. 17
A.
B.
The Felony Enhancement Cannot Apply Because the
Enhancement Requires Independent Conduct, not an Additional
Element. .................................................................................... 17
Auernheimer Did Not Violate N.J. Stat. Ann. § 2C:20-31(a)
Both Because the Program Did Not Circumvent a Code-Based
Restriction and Because New Jersey Does Not and Cannot
Regulate Purely Extraterritorial Conduct. ................................ 19
i
1.
The Program Did Not Violate New Jersey Law Because
It Did Not Circumvent Any Code-Based Restrictions. .. 19
2.
The Program Did Not Violate N.J. Stat. Ann. § 2C:2031(a) Because New Jersey Law Does Not and Cannot
Apply to Purely Extraterritorial Conduct ....................... 20
III.
THE GOVERNMENT CANNOT DEFEND AUERNHEIMER’S
CONVICTION ON COUNT 2 BASED ON A NEW THEORY OF
LIABILITY NEVER PRESENTED TO THE JURY. ....................... 24
IV.
VENUE WAS IMPROPER IN NEW JERSEY ON BOTH
COUNTS ............................................................................................ 27
A.
B.
The Government Cannot Establish Venue for Count 1 by
Invoking the Prosecutor’s Decision to Charge Count 1 as a
Felony Using a New Jersey Statute. ......................................... 30
C.
The Government Cannot Establish Venue for Count 1 Based on
a Failure to Act in New Jersey. ................................................ 35
D.
Venue Was Not Established for Count 1 When an FBI Agent in
New Jersey Read About the Alleged Offense over the
Internet...................................................................................... 36
E.
Assuming Venue Was Proper for Count 1, Venue Was
Improper for Count 2. ............................................................... 39
F.
V.
The “Substantial Contacts” Test Cannot Establish Venue
Because it is a Limitation on Venue and Not a Test to Establish
It…… ........................................................................................ 27
Venue is Not Subject to Harmless Error Review. .................... 41
THE ALLEGED MAILING COSTS WERE NOT “LOSS” UNDER
THE SENTENCING GUIDELINES. ................................................. 42
A.
The Government Failed to Prove AT&T Suffered a $73,000
“Loss” ....................................................................................... 43
ii
1.
2.
B.
The Standard of Review Should Be Clear Error, Not
Plain Error. ..................................................................... 43
Nothing in the Record Supports the “Loss” Amount. .... 44
Alleged Costs AT&T Spent Notifying its Customers Is Not
“Actual Loss” Under U.S.S.G. § 2B1.1. .................................. 45
1.
The Mailing Costs Were Not “Reasonably Foreseeable
Pecuniary Harm” Under U.S.S.G. § 2B1.1. ................... 46
2.
The Mailing Costs Were Not Loss Under the Broader
Definition of “Loss” for CFAA Convictions. ................ 49
CONCLUSION ....................................................................................................... 51
iii
TABLE OF AUTHORITIES
Federal Cases
American Civil Liberties Union v. Johnson,
194 F.3d 1149 (10th Cir. 1999)..................................................................... 23
American Libraries Ass’n v. Pataki,
969 F.Supp. 160 (S.D.N.Y. 1997) ................................................................. 23
Bouie v. City of Columbia,
378 U.S. 347 (1964) ...................................................................................... 10
Center For Democracy & Technology v. Pappert,
337 F.Supp.2d 606 (E.D. Pa. 2004) .............................................................. 23
Chiarella v. United States,
445 U.S. 222 (1980) .................................................................................. 2, 26
Civic Ctr. Motors, Ltd. v. Mason St. Imp. Cars, Ltd.,
387 F. Supp. 2d 378 (S.D.N.Y. 2005) ........................................................... 50
Cola v. Reardon,
787 F.2d 681 (1st Cir. 1986) ......................................................................... 26
Communications Workers v. Beck,
487 U.S. 735 (1988) ...................................................................................... 24
Concrete Pipe & Prods. of Cal., Inc. v. Constr. Laborers Pension Trust
for S. Cal., 508 U.S. 602 (1993) ................................................................... 43
Dunn v. United States,
442 U.S. 100 (1979) ...................................................................................... 26
EF Cultural Travel BV v. Explorica, Inc.,
274 F.3d 577 (1st Cir. 2001) ........................................................... 8, 9, 12, 16
EF Cultural Travel BV v. Zefer Corp.,
318 F.3d 58 (1st Cir. 2003) ....................................................................passim
iv
Farmers Ins. Exch. v. Auto Club Grp.,
823 F. Supp. 2d 847 (N.D. Ill. 2011) ............................................................ 50
Giaccio v. Pennsylvania,
382 U.S. 399 (1966) ...................................................................................... 10
Healy v. Beer Institute, Inc.,
491 U.S. 324 (1989) ...................................................................................... 22
In re Cmty. Bank of N. Virginia,
418 F.3d 277 (3d Cir. 2005) .......................................................................... 49
In re DoubleClick Inc. Privacy Litigation,
154 F. Supp. 2d 497 (S.D.N.Y. 2001) ........................................................... 50
LVRC Holdings, LLC v. Brekka,
581 F.3d 1127 (9th Cir. 2009)................................................................. 16, 36
McBurney v. Young,
133 S.Ct. 1709 (2013) ................................................................................... 22
Miller v. French,
530 U.S. 327 (2000) ...................................................................................... 23
Morales v. Trans World Airlines, Inc.,
504 U.S. 374 (1992) ...................................................................................... 49
Nexans Wires S.A. v. Sark-USA, Inc.,
319 F. Supp. 2d 468 (S.D.N.Y. 2004)
aff’d, 166 Fed. App’x 559 (2d Cir. 2006) ............................................... 50, 51
PSINet, Inc. v. Chapman,
362 F.3d 227 (4th Cir. 2004)......................................................................... 23
Travis v. United States,
364 U.S. 631 (1961) ................................................................................ 31, 38
United States v. Alvarado,
--- F. Supp. 2d ----, 2013 WL 3816692 (E.D.Wis. 2013) ............................. 30
v
United States v. Anderson,
328 U.S. 699 (1946) ...................................................................................... 35
United States v. Bin Laden,
146 F. Supp. 2d 373 (S.D.N.Y. 2001) ........................................................... 38
United States v. Bowens,
224 F.3d 302 (4th Cir. 2000)............................................................. 31, 32, 35
United States v. Brennan,
183 F.3d 139 (2d Cir. 1999) .......................................................................... 41
United States v. Cabrales,
524 U.S. 1 (1998) .................................................................................... 29, 32
United States v. Cioni,
649 F.3d 276 (4th Cir. 2011)............................................................. 17, 18, 19
United States v. Clenney,
434 F.3d 780 (5th Cir. 2005)....................................................... 30, 34, 35, 40
United States v. Cofield,
11 F.3d 413 (4th Cir. 1993)........................................................................... 29
United States v. Coplan,
703 F.3d 46 (2d Cir. 2012) ............................................................................ 33
United States v. Davis,
689 F.3d 179 (2d Cir. 2012) .......................................................................... 28
United States v. Dullum,
560 F.3d 133 (3d Cir. 2009) .......................................................................... 43
United States v. Fumo,
655 F.3d 288 (3d Cir. 2011) .......................................................................... 45
United States v. Goldberg,
830 F.2d 459 (3d Cir. 1987) .............................................................. 27, 28, 29
vi
United States v. Grier,
475 F.3d 556 (3d Cir. 2007) .......................................................................... 43
United States v. Hammoude,
51 F.3d 288 (D.C. Cir. 1995) ........................................................................ 21
United States v. Hart-Williams,
967 F.Supp. 73 (S.D.N.Y. 1997)............................................................. 41, 42
United States v. Kane,
450 F.2d 77 (5th Cir. 1971)............................................................................. 7
United States v. Lawson,
677 F.3d 629 (4th Cir. 2012)....................................................................... 3, 4
United States v. Magassouba,
619 F.3d 202 (2d Cir. 2010) .......................................................................... 39
United States v. Miller,
527 F.3d 54 (3d Cir. 2008) ...................................................................... 21, 24
United States v. Mitchell,
518 F.3d 230 (4th Cir. 2008)......................................................................... 27
United States v. Muhammad,
502 F.3d 646 (7th Cir. 2007)......................................................................... 28
United States v. Nosal,
676 F.3d 854 (9th Cir. 2012) (en banc)......................................................... 13
United States v. Oceanpro Indus., Ltd.,
674 F.3d 323 (4th Cir. 2012)......................................................................... 31
United States v. Pavulak,
700 F.3d 651 (3d Cir. 2012) .................................................................... 21, 24
United States v. Pendleton,
658 F.3d 299 (3d Cir. 2011) .................................................................... 28, 37
vii
United States v. Powers,
No. 8:09-cr-00361, 2010 WL 1418172 (D. Neb. Mar. 4, 2010) ................... 39
United States v. Ramirez,
420 F.3d 134 (2d Cir. 2005) .......................................................................... 38
United States v. Reed,
773 F.2d 477 (2d Cir. 1985) .............................................................. 27, 28, 29
United States v. Rodriguez,
--- F.3d ----, 2013 WL 5630962 (11th Cir. Oct. 16, 2013) ........................... 45
United States v. Rodriguez-Moreno,
526 U.S. 275 (1999) .......................................................................... 29, 32, 34
United States v. Rowe,
414 F.3d 271 (2d Cir. 2005) .................................................................... 38, 39
United States v. Royer,
549 F.3d 886 (2d Cir. 2008) .......................................................................... 28
United States v. Saavedra,
223 F.3d 85 (2d Cir. 2000) ...................................................................... 28, 41
United States v. Salinas,
373 F.3d 161 (1st Cir. 2004) ......................................................................... 37
United States v. Strain,
396 F.3d 689 (5th Cir. 2005)......................................................................... 33
United States v. Thomas,
74 F.3d 701 (6th Cir.1996)............................................................................ 39
United States v. Walker,
Nos. 11–2727, 11–2845, 11–3087, 11–3088, 2013 WL 3481682
(3d Cir. 2013) .......................................................................................... 21, 24
United States v. Williams,
274 F.3d 1079 (6th Cir. 2001)....................................................................... 29
viii
Verizon Nw., Inc. v. Main St. Dev., Inc.,
693 F. Supp. 2d 1265 (D. Or. 2010) ............................................................. 36
WEC Carolina Energy Solutions LLC v. Miller,
687 F.3d 199 (4th Cir. 2012)........................................................................ 16
Wilson v. Moreau,
440 F. Supp. 2d 81 (D.R.I. 2006) .................................................................. 51
State Cases
State v. Gaikwad,
793 A.2d 39 (N.J. App. Div. 2002) ............................................................... 20
State v. Riley,
988 A.2d 1252 (N.J. Super. Ct. Law Div. 2009) .......................................... 19
Federal Statutes
18 U.S.C. § 1028 ......................................................................................... 24, 25, 27
18 U.S.C. § 1030 ..............................................................................................passim
18 U.S.C. § 1071 ..................................................................................................... 31
18 U.S.C. § 1204 ..................................................................................................... 34
18 U.S.C. § 2701 ............................................................................................... 17, 18
18 U.S.C. § 3237 ..................................................................................................... 37
State Statutes
Ark. Code Ann. § 4-110-105(e) .............................................................................. 47
Cal. Civ. Code § 1798.29 ........................................................................................ 47
Cal. Civ. Code § 1798.82 ........................................................................................ 47
Ga. Code Ann. § 10-1-911(4).................................................................................. 47
ix
Ga. Code Ann. § 10-1-912(a) .................................................................................. 47
N.J. Stat. Ann. § 56:8-161 ....................................................................................... 47
N.J. Stat. Ann. § 56:8-163(d) .................................................................................. 47
N.J. Stat. Ann. § 2C:20-31(a) ...........................................................................passim
Tex. Bus. & Com. Code Ann. § 521.053(e) ............................................................ 48
Federal Rules
Federal Rule of Criminal Procedure 29............................................................. 21, 24
U.S. Sentencing Guidelines
United States Sentencing Guideline § 2B1.1 ...................................................passim
Legislative Materials
S. Rep. No. 99–432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479 ....................... 13
Other Authorities
Charles Alan Wright, et al., Federal Practice and Procedure (4th ed. 2013) ........ 36
Crawling & Indexing, - Inside Search, Google ....................................................... 12
Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer
Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (2003) ................................... 19, 20
Daniel B. Garrie, The Legal Status of Software, 23 J. Marshall J. Computer
& Info. L. 711 (2011) .................................................................................... 11
Default User-Agent (UA) String Changed, Microsoft ............................................ 15
Header Field Definitions, World Wide Web Consortium ...................................... 15
Merriam-Webster Online .......................................................................................... 7
x
Understanding User-Agent Strings, Microsoft ....................................................... 15
Wayne R. LaFave, Criminal Law (4th Ed. 2003) ................................................... 36
Wayne R. LaFave, et al., Criminal Procedure (3d ed. 2012) ........................... 29, 41
William E. Burr, et al., National Institute of Standards and Technology,
Electronic Authentication Guideline, Information Security (2011)................ 3
xi
SUMMARY OF ARGUMENT
The government has acknowledged that Auernheimer’s opening brief “raises
serious substantive challenges to the Government’s prosecution.” United States’
Motion For a Word Limit Extension to 26,500 Words & A Stay of the Briefing
Schedule at 1. The government has responded to those challenges by filing a
26,495-word merits brief. This reply brief explains the errors in the Government’s
brief in the order that they appear.
ARGUMENT
I.
AUERNHEIMER AND SPITLER DID NOT ACCESS AT&T’S
COMPUTERS WITHOUT AUTHORIZATION.
The government defends its view that Spitler and Auernheimer conspired to
violate the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(2)(C),
with six different arguments. None are persuasive.
A.
The Court Cannot Defer to the Jury’s Finding that the Email
Addresses Were Protected and Unavailable to the Public Because
the Jury Made No Such Finding.
Auernheimer’s opening brief argues that access to an unprotected computer
available to the public on the World Wide Web does not violate 18 U.S.C.
§ 1030(a)(2). See Appellant’s Opening Br. (“AB”) 19-25. The government’s brief
appears to agree with that interpretation of the CFAA. See Br. for Appellee
(“GB”) 27. Instead, the government argues that this court should defer to the
1
jury’s factual finding that the email addresses were protected and not publicly
available. See id.
The government’s argument is meritless because the jury was not asked to
decide whether the email addresses were unprotected or publicly available. During
pre-trial motions, the Government persuaded the District Court that “access
without authorization” in § 1030(a)(2) simply means access without permission.
App1. 21-22. 1 As a result, the jury was instructed that “access without
authorization” in § 1030(a)(2) means “to access a computer without approval or
permission.” App2. 704.
Because the District Court adopted the government’s proposed definition,
the jury was never asked to decide whether the email addresses were unprotected
or available to the public.
During closing arguments, the prosecutor never
mentioned whether the information was protected. He mentioned whether the
information was publicly available only once in passing, and without any context
or connection to the relevant legal standard. See App2. 611.2
A court cannot defer to a jury finding on an issue that the jury was not asked
to decide. See Chiarella v. United States, 445 U.S. 222, 236 (1980) (“[W]e cannot
1
“App1.” refers to Volume 1 of the Appendix attached to the end of
Auernheimer’s opening brief. “App2.” refers to Volume 2 of the Appendix, filed
separately in connection with the opening brief.
2
“How can it be that information is publicly available if you have to lie to get at
it? It can’t. The information wasn’t publicly available.” App2. 611.
2
affirm a criminal conviction on the basis of a theory not presented to the jury.”).
As a result, the Government’s deference argument is without merit.
B.
ICC-IDs Are Not “Passwords.”
Auernheimer’s opening brief explains that Spitler’s program was permitted
to collect information from AT&T’s computer because the information was not
protected by a password or other security measure. AB 22. The government
responds that the addresses were in fact protected by a kind of password. Relying
on the definition of “passwords” found on the Internet website Wikipedia, the
government contends that ICC-IDs are passwords because they are “shared
secrets” between the user and the AT&T server. GB 38-41.
The government is wrong: ICC-IDs are not passwords.
The National
Institute of Standards and Technology at the U.S. Department of Commerce
defines a password as a “secret that a Claimant memorizes and uses to authenticate
his or her identity.” William E. Burr, et al., National Institute of Standards and
Technology, Electronic Authentication Guideline, Information Security 12 (2011),
available at http://www.nist.gov/customcf/get_pdf.cfm?pub_id=910006.
Under
this standard, from a source surely more authoritative than Wikipedia,3 ICC-IDs are
3
Undersigned counsel are big fans of Wikipedia. At the same time, the
Government is wrong to rely on it for definitions of terms. “Given the open-access
nature of Wikipedia, the danger in relying on a Wikipedia entry is obvious and
real.” United States v. Lawson, 677 F.3d 629, 650 (4th Cir. 2012). Wikipedia “is
3
not passwords. AT&T customers normally would not know that ICC-IDs exist,
much less what they are. Presumably none have ever memorized their ICC-IDs.
ICC-IDs are just serial numbers associated with iPads.
They are not secrets
memorized by users that authenticate them as the correct person to access an
account. For that reason, they are not passwords.
Common experience confirms the point. Every computer user is familiar
with website login prompts that ask users to enter in a username and password to
access an account. AT&T’s website contained such a login prompt. App2. 25253, 257. In its current form, it looks like this:4
It is not difficult to identify the password in this login prompt. The password is the
secret code entered by the user into the box marked “Password.” Here, by contrast,
ICC-IDs had nothing to do with the password box.
written largely by amateurs” and is “easily vandalized,” leading many courts to
reject its use. Id. (citing cases).
4
Viewable at https://dcp2.att.com/OEPNDClient/ (last visited Oct. 22,
2013).
4
The fact that ICC-IDs are numbers associated with specific persons does not
make them passwords. To see why, consider the website operated by the Federal
Judicial Center (FJC) available at http://www.fjc.gov. The FJC website publishes
webpages containing biographies of federal judges. Every federal judge has a
biography published at a unique address using a special number for that judge.
Examples include the following:
http://www.fjc.gov/servlet/nGetInfo?jid=1563
http://www.fjc.gov/servlet/nGetInfo?jid=2208
http://www.fjc.gov/servlet/nGetInfo?jid=911
Entering these Internet addresses into a web browser retrieves biographies of Chief
Judge McKee, Judge Sloviter, and Judge Greenaway, respectively. And these are
only three examples of several thousand biographies published on the FJC website.
Changing the numbers at the end of the address changes the biography that visitors
will see. Any Internet user who wants to collect biographies of every federal judge
can start at number 1 (corresponding to Judge Matthew Abruzzo) and change the
number sequentially all the way to number 3493 (corresponding to Judge Madeline
Haikala, the most recently-confirmed judge with a biography at the time this brief
was filed).
The FJC’s website posts information on the web about specific persons
using specific numbers that are difficult to guess. But the number 1563 is not
Chief Judge McKee’s password, just as 2208 is not Judge Sloviter’s password and
5
911 is not Judge Greenaway’s password. The numbers at the end of FJC website
addresses are just numbers that enable each biography to appear at a specific
Internet address.
The same is true of AT&T’s website in this case. AT&T decided to post
information about persons on the Internet using ICC-IDs as the suffixes of website
addresses.
Those suffixes are not “passwords” known to individuals whose
information was posted. Instead, they are numbers that enable Internet addresses
where information can be posted. Entering in those numbers is not a federal crime,
regardless of whether the website belongs to the FJC or AT&T.
C.
Spitler’s Program Did Not Illegally “Impersonate” iPad Owners.
The government also argues that Spitler’s program committed an
unauthorized access because it “impersonated” other iPad owners. GB 24-26. The
government’s impersonation theory fails for two reasons.
First, the CFAA
punishes unauthorized access, not impersonation. Whether access to a computer
amounts to an “impersonation” is not an element of the CFAA, and the jury
instruction on whether an unauthorized access occurred under the CFAA did not
mention impersonation.5 App2. 703-04.
Second, even assuming that impersonation violates the CFAA, no
impersonation occurred here. To impersonate someone means to pretend to be that
5
“Impersonating” appeared only in an instruction about New Jersey’s computer
crime statute, not the CFAA. App2. 706.
6
person.6 But Spitler’s program was not designed to trick AT&T into thinking that
114,000 users had queried the website in rapid sequence. The program did not
hide Spitler’s Internet Protocol address. It did not send authenticating information
such as personal passwords. It did not create the impression that the visits were
coming from many different sources.
Spitler’s program did not impersonate
anyone. It simply sent requests to a website. Cf. United States v. Kane, 450 F.2d
77, 85 (5th Cir. 1971) (noting that a police officer who answered the defendant’s
phone during a search of his apartment was not “impersonating” the defendant).
For the same reason, the government’s claim that Spitler’s program
“tricked” AT&T’s computer is wrong. GB 42. AT&T knew perfectly well that
anyone who entered in the correct website address would obtain a user’s e-mail
address.
AT&T made a deliberate choice to configure the website this way.
App. 217-18, 258-59. No one was tricked by Spitler’s program.
D.
Whether Spitler Used “Expertise” to Design the Program Is
Irrelevant to Whether the Program Accessed AT&T’s Computer
Without Authorization.
The government argues that Spitler’s program was illegal because it required
“computer expertise” to design it. GB 30. The government envisions two kinds of
Internet users: (1) “ordinary” users, such as “a typical judicial law clerk,” and
6
See
Merriam-Webster
Online,
http://www.merriamwebster.com/dictionary/impersonate (defining impersonate as “to pretend to be
(another person)”) (last visited Oct. 25, 2013).
7
(2) “skilled and determined” computer users, such as Spitler. Id. at 32-33. Basing
its standard of criminal liability on “norms of behavior that are generally
recognized by society” and that are apparent to a “reasonable person,” GB 35, the
government argues that Spitler’s program was illegal because it exceeded
expectations of what an “ordinary” computer user would obtain. Id. at 32, 35.
No court has ever adopted the Government’s proposed interpretation of the
CFAA. Further, the First Circuit squarely rejected the Government’s interpretation
in a very similar case, EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir.
2003). Zefer Corporation was a sophisticated business that used its “computerrelated expertise” to help other companies. Id. at 60. It built “a scraper tool that
could ‘scrape’ the prices” from the website of a leading travel business, EF
Cultural Travel. Id. The scraper program was programmed to then download the
collected data into an Excel spreadsheet for subsequent analysis. Id.
Zefer
designed the scraper program based on “proprietary information about the structure
of the website and the tour codes” provided to it by a former employee of EF who
left to work for a competitor, Explorica. EF Cultural Travel BV v. Explorica, Inc.,
274 F.3d 577, 583 (1st Cir. 2001). The scraper program sent 30,000 queries to the
EF website to build a database for Explorica. Id. at 579.
8
The queries sent by Zefer’s program closely resembled the queries sent to
AT&T’s website in this case.
Recall that Spitler’s program sent queries to
AT&T’s website that looked like this:
https://dcp2.att.com/OEPClient/openPage?ICCID=89014104243221
019785&IMEI=0
AB 19; App2. 263, 725-27. Similarly, Zefer’s program sent queries to EF Cultural
Travel’s website that looked like this:
http://www.eftours.com/tours/PriceResult.asp?Gate=GTF&TourID=LPM
Explorica, 274 F.3d at 583 n.11. In this website address, the letters “GTF” and
“LPM” were proprietary codes used by EF that apparently were only known to EF
employees. Id. at 583.
When EF filed a civil CFAA suit, the district court applied the standard
argued by the Government in this case. Specifically, the district court granted a
preliminary injunction prohibiting use of the program because the program’s use
was “not in line with the reasonable expectations of the website owner and its
users.” Id. at 582 n.10.
On appeal, however, the First Circuit unanimously rejected the district
court’s “reasonable expectations” standard for CFAA liability. Zefer, 318 F.3d at
62-63. The First Circuit reasoned that “nothing justifies putting users at the mercy
of a highly imprecise, litigation-spawning standard like ‘reasonable expectations.’”
Id. at 63. If EF wanted to ban access to its website in ways that the CFAA would
9
enforce, EF needed to do so in a way that would “giv[e] fair warning” to Internet
users “and avoid[] time-consuming litigation about its private, albeit ‘reasonable,’
intentions.” Id. Use of Zefer’s program was authorized and legal.
The government’s proposed standard of liability is identical to that rejected
by the First Circuit in Zefer. Mirroring the “reasonable expectations” test, the
government’s “norms of behavior” standard, GB 35, is based on how a “reasonable
person” would expect information to be collected from a website. This Court
should reject that standard for the same reason the First Circuit did so: it puts users
at the “mercy of a highly imprecise” and ambiguous standard that cannot be
defined. Zefer, 318 F.3d at 63.
Such ambiguity is particularly problematic in a criminal case. It is one thing
to adopt a vague standard that risks excessive civil litigation; it is quite another to
adopt a vague standard that may lead to 41-month jail sentences. For that reason,
the Supreme Court has emphasized that “a criminal statute must give fair warning
of the conduct that it makes a crime[.]” Bouie v. City of Columbia, 378 U.S. 347,
350 (1964). The Constitution does not allow a criminal law to be “so vague and
standardless that it leaves the public uncertain as to the conduct it prohibits or
leaves judges and jurors free to decide, without any legally fixed standards, what is
prohibited and what is not in each particular case.” Giaccio v. Pennsylvania, 382
U.S. 399, 402-03 (1966). The government’s vague and standardless approach,
10
resting on “norms of behavior that are generally recognized” by a “reasonable
person,” GB 35, cannot provide the fair notice that the Constitution requires.
That is true for a common sense reason: Levels of computer expertise
rapidly evolve and vary widely based on age and education.
What seems
complicated and shocking to an adult may seem easy and obvious to his children.
The distinction between prohibited expert use and permitted novice use is
particularly incoherent given how computer programs typically are developed.
First, a computer expert uses effort and skill to build a program that anyone can
use. Second, novices use the program to perform the same steps as the expert. See
Daniel B. Garrie, The Legal Status of Software, 23 J. Marshall J. Computer & Info.
L. 711, 713-23 (2011). Given this reality, courts have no way to distinguish
between “purposeful action by a determined individual” that is criminal and
“ordinary” action that is not. GB 29.
The malleability of the government’s standard is aptly demonstrated by the
government’s dramatically different treatment of the facts of Zefer and the facts of
this case. To distinguish Zefer under its proposed standard, the government must
portray Spitler’s program as “sophisticated” and Zefer’s program as “ordinary.” It
does so using a narrative trick.
When describing the facts of this case, the
government starts the story from the very beginning. The government’s brief goes
11
into glorious detail in its comprehensive technical description of how Spitler
designed and used the program. See GB 5-10, 27-29.
In contrast, the government skips over all of these steps when describing the
facts of Zefer. The government’s brief states that Zefer was hired, and then it
jumps immediately to the litigation that ensued after the program had been used.
GB 31-32. The government neglects to point out (much less elaborate on) how an
insider gave Zefer proprietary information about the website’s structure needed to
build the program, and how Zefer used its “computer-related expertise” to design
the program.
See Zefer, 318 F.3d at 60; Explorica, 274 F.3d at 583.
The
government’s portrayal of one case as technologically complex and the other case
as technologically simple merely reflects the government’s choice to dwell on the
technological details in one case but not the other. The difference is storytelling,
not law. Criminal liability cannot rest on that standard.7
7
The government suggests in passing that use of Spitler’s program was
illegal because it obtained information not available through a public search engine
such as Google. GB 27. This suggestion misfires because the information
collected by the scraper in Zefer would not have been available through a search
engine, either. See Zefer, 318 F.3d at 60; Explorica, 274 F.3d at 583.
The government also fails to note that search engines such as Google
themselves collect information by sending programs out to scrape data from
websites on the Internet. See Crawling & Indexing, - Inside Search, Google,
http://www.google.com/intl/en_us/insidesearch/howsearchworks/crawlingindexing.html (last visited Oct. 25, 2013). Under the government’s approach,
Google may be committing serious federal crimes by scraping data to create its
search databases. Finally, whether Google or another search engine happens to
make information available is largely a question of the policy followed by each
12
E.
Spitler’s Program Was Not Illegal Because It Set the User Agent
to that of an iPad.
The government also argues that Spitler’s program accessed the AT&T
computer without authorization because it applied a user agent setting that matched
that of an iPad. GB 20, 25, 28. The government acknowledges that user agents
generally do not limit access. Id. at 56. But the government argues that this case is
different because Spitler set the user agent to that of an iPad to obtain the email
addresses. Id. at 20, 25. In the government’s view, the user agent setting was a
block on access, the circumvention of which violates the CFAA. GB 20, 55.
This argument is unpersuasive because user agents cannot act as access
restrictions. A user agent is simply a browser setting. Every person who surfs the
Internet can set the user agent as she wishes. User agents do not identify website
requests as coming from particular people. They merely reflect the setting that the
user picked or the web browser happened to select as a default. App2. 256-57.
An analogy based on physical trespass law helps explain why. See S. Rep.
No. 99–432, at 7 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2484-85
(analogizing “unauthorized access” in the CFAA to physical trespass law).
Imagine that a convenience store has posted a sign: “No shirts, no shoes, no
service.” A shirtless customer tries to enter the store. Because the customer is not
company. “Significant notice problems arise if we allow criminal liability to turn
on the vagaries of private polices.” United States v. Nosal, 676 F.3d 854, 860 (9th
Cir. 2012) (en banc).
13
wearing a shirt, the store clerk explains the store policy and denies the customer
entry. The customer happens to have a shirt in his bag, however, so he puts on his
shirt and then tries to enter the store again. This time, the clerk sees the customer’s
shirt and permits the customer to enter.
Now consider whether the customer is criminally liable for committing a
trespass when he entered the store after putting on his shirt.
The answer is
obviously “no.” It is true that the clerk initially blocked the customer’s entrance,
and the customer then devised a way to circumvent the block. But no trespass
occurred because no one would understand the store’s policy as an effort to keep
that specific customer out. The store’s policy would be understood as allowing
everyone to enter on the simple condition that they wear a shirt and shoes. Anyone
can do that. Because the customer put on his shirt after being denied entrance, he
complied with the policy and he was fully authorized to enter the store when he did
so. No trespass occurred because wearing a shirt is not an access restriction.
The same reasoning applies with user agents under the CFAA. To computer
users, changing a user agent is like putting on a shirt. It is easily done and it takes
a few seconds. It does not require any “lying” or “trickery,” as user agents are not
set to tell truth or falsehoods. User agents are simply settings that can be changed
just like a person might change his clothes. A website that requires users to adjust
the user agent to access it electronically is no different from a store that requires
14
customers to put on a shirt to access it physically. Users who comply with the
store’s condition on entry are fully authorized. Changing the user agent does not
make a person guilty of trespass, whether that trespass is a physical trespass or the
cyber trespass of the CFAA.
The ubiquity of changing user agents confirms the point. For example,
Microsoft’s Internet Explorer browser sets the default user agent to incorrectly
identify itself as a Mozilla browser.
See Understanding User-Agent Strings,
Microsoft, http://msdn.microsoft.com/library/ms537503.aspx (last updated July
2013) (“For historical reasons, Internet Explorer identifies itself as a Mozilla
browser.”).
When the most recent version of Internet Explorer was released,
Microsoft decided to have the browser identify itself as a Mozilla 5.0 browser
instead of a Mozilla 4.0 browser.8 Microsoft does not consider itself or its users to
be engaging in deception, or to be breaking into websites. User agents simply do
not act as access restrictions.9
8
Default
User-Agent
(UA)
String
Changed,
Microsoft,
http://msdn.microsoft.com/en-us/library/ie/ff986085(v=vs.85).aspx (last visited
Oct. 25, 2013).
9
The explanation of user agents promulgated by the World Wide Web Consortium
confirms this point. See Header Field Definitions, World Wide Web Consortium,
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.43 (last visited
Oct. 25, 2013).
15
F.
Substantial Authority Acknowledges
‘Unauthorized Access’ Under the CFAA
the
Ambiguity
of
As explained in Auernheimer’s opening brief, if this Court is unsure whether
“authorization” in the CFAA encompasses Spitler’s actions, it should apply the
rule of lenity and adopt a narrow construction of the statute that favors the defense.
AB at 31-32.
The government responds that the rule of lenity should not apply because the
CFAA’s prohibition on unauthorized access is clear. GB at 45-47. Three sister
circuits have disagreed. See, e.g., WEC Carolina Energy Solutions LLC v. Miller,
687 F.3d 199, 205-06 (4th Cir. 2012) (recognizing widespread disagreement on
the meaning of unauthorized access and adopting a narrow interpretation so as to
“yield to the rule of lenity”); LVRC Holdings, LLC v. Brekka, 581 F.3d 1127,
1134-35 (9th Cir. 2009) (rejecting a broad interpretation of unauthorized access
because “the rule of lenity, which is rooted in considerations of notice, requires
courts to limit the reach of criminal statutes to the clear import of their text and
construe any ambiguity against the government”); Explorica, 274 F.3d at 582 n.10
(noting that the meaning of the term “has proven to be elusive.”).
This Court should heed these decisions and find that Spitler’s conduct did
not violate the CFAA.
16
II.
IF AUERNHEIMER CONSPIRED TO VIOLATE THE CFAA, THE
VIOLATION WAS ONLY A MISDEMEANOR.
The government argues that any conspiracy to violate the CFAA was a
felony instead of a misdemeanor because it was in furtherance of a New Jersey
statute, N.J. Stat. Ann. § 2C:20-31(a). GB 52-62. The government’s argument is
erroneous.
A.
The Felony Enhancement Cannot Apply Because the
Enhancement Requires Independent Conduct, Not an Additional
Element.
The government first contends that the felony enhancement under 18 U.S.C.
§ 1030(c)(2)(B)(ii) was proper because N.J. Stat. Ann. § 2C:20-31(a) contains an
element not found in 18 U.S.C. § 1030(a)(2)(C). GB 52-55. According to the
government, § 1030(a)(2)(C) does not include a distribution element while the
New Jersey crime does.
Id. The government misunderstands the law.
The
relevant legal question is whether the government has charged two different acts,
not whether the government can identify a difference between two statutes.
The key precedent is United States v. Cioni, 649 F.3d 276, 278-79 (4th Cir.
2011), in which the Fourth Circuit overturned a felony conviction under
§ 1030(c)(2)(B)(ii) because the government tried to apply a felony enhancement
based on a violation of the unauthorized access statute found in 18 U.S.C.
§ 2701(a) to a single course of conduct.
The Fourth Circuit recognized that
§ 2701(a) and § 1030(a)(2)(C) are “distinct and different” crimes, and that “proof
17
of a § 2701(a) offense requires proof of facts that are not required for a violation of
§ 1030.”
Id. at 282.
Nonetheless, the court ruled the felony enhancement
improper because “the facts or transactions alleged to support [the misdemeanor]
offense are also the same used” to enhance the CFAA charge to a felony under
§ 1030(c)(2)(B)(ii). See id.
Cioni overturned a felony conviction for attempting to access another
person’s email account because the “conduct” underlying the § 2701(a) crime was
not “distinct” from the conduct underlying the § 1030(a)(2)(c) crime. Id. at 283.
Cioni explained:
Count 4, which claims two crimes, one in furtherance of the other, is
actually based on Cioni’s single unsuccessful attempt to access Patricia
Freeman’s AOL electronic e-mail account. . . . If the government had proven
that Cioni accessed Freeman’s e-mail inbox and then used the information
from that inbox to access another person’s electronic communications, no
merger problem would have arisen. But the government charged and
attempted to prove two crimes using the same conduct . . . .
Id. at 283.
The same reasoning applies here. N.J. Stat. Ann. § 2C:20-31(a) is an
unauthorized access statute that contains an element of crime that is not found in
18 U.S.C. § 1030(a)(2)(C), just like § 2701(a) is an unauthorized access statute that
“requires proof of facts that are not required for a violation of § 1030.” Id. at 282.
But just like in Cioni, the government’s argument must fail because the
government is charging a single course of conduct. Specifically, the government is
18
attempting to prove its case based on a conspiracy to gather information from
AT&T’s website and share the information with a reporter. That is a single course
of conduct, and Cioni forbids the felony enhancement.
B.
Auernheimer Did Not Violate N.J. Stat. Ann. § 2C:20-31(a) Both
Because the Program Did Not Circumvent a Code-Based
Restriction and Because New Jersey Does Not and Cannot
Regulate Purely Extraterritorial Conduct.
Even if this court concludes that the felony enhancement can apply despite
Cioni, it does not apply in this case because the conduct proved at trial did not
violate N.J. Stat. Ann. § 2C:20-31(a). That is true for two reasons. First, obtaining
the information from AT&T’s servers did not constitute unauthorized access under
New Jersey law as construed in State v. Riley, 988 A.2d 1252, 1267 (N.J. Super.
Ct. Law Div. 2009). And second, New Jersey’s unauthorized access statute does
not extend to acts occurring entirely outside New Jersey.
1.
The Program Did Not Violate New Jersey Law Because It Did
Not Circumvent Any Code-Based Restrictions.
The government first argues that the conduct violated N.J. Stat. Ann. §
2C:20-31(a) because either the conduct circumvented a code-based restriction or at
least impersonated an iPad user. GB 55-57. This is incorrect. As the government
appears to acknowledge, the “code-based restriction” test adopted in Riley comes
from a law review article, Cybercrime’s Scope: Interpreting “Access” and
“Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (2003).
19
See Riley, 988 A.2d at 1262, 1267; see also GB at 57.
As described in
Cybercrime’s Scope, the circumvention of a code-based restriction requires the
computer owner to “erect code-based barriers to unwanted access” such as a
password gate.
Id. at 1651.
Here, that did not occur: AT&T published the
information on the Web where anyone with a web browser could access it.
Alternatively, the Government relies on State v. Gaikwad, 793 A.2d 39 (N.J.
App. Div. 2002) for the view that “impersonating an authorized user constitutes
unauthorized access” under New Jersey law even absent circumvention of a codebased restriction.
GB 57-58.
This argument fails because the defendant in
Gaikwad clearly circumvented a code-based restriction. Gaikwad hacked in to a
computer network that required a username and password to access it, and he used
that access to break into private accounts to specific individuals at AT&T.
Gaikwad, 793 A2.d at 70-74.
2.
The Program Did Not Violate N.J. Stat. Ann. § 2C:20-31(a)
Because New Jersey Law Does Not and Cannot Apply to Purely
Extraterritorial Conduct.
The government wrongly assumes that this Court must review the territorial
scope of New Jersey law for plain error because it was not specifically argued
below. See GB 58. Under this Court’s precedent, however, the standard of review
is de novo. “[A] timely motion for acquittal under Federal Rule of Criminal
Procedure 29(c) will preserve a sufficiency-of-the-evidence claim for review,
20
irrespective of whether the defendant raised the claim at trial.” United States v.
Miller, 527 F.3d 54, 62 (3d Cir. 2008). A nonspecific motion under Rule 29
preserves all sufficiency claims. See United States v. Walker, Nos. 11–2727, 11–
2845, 11–3087, 11–3088, 2013 WL 3481682, at *1 (3d Cir. 2013) (citing United
States v. Hammoude, 51 F.3d 288, 291 (D.C. Cir. 1995)). Further, a preserved
sufficiency claim is reviewed de novo. See United States v. Pavulak, 700 F.3d 651,
668 (3d Cir. 2012). Auernheimer filed a timely Rule 29(c) motion as well as a
timely Rule 29(a) motion, so this sufficiency claim was fully preserved and the
standard of review is de novo. See App2. 339, 729-731.
On the merits, the government argues that New Jersey has jurisdiction over
the offense because the disclosure of the email addresses occurred in New Jersey
when a New Jersey FBI agent read the Gawker story from his office in Newark.
GB 60. This claim is based on a misunderstanding of the record. Auernheimer
disclosed the list of collected email addresses to Ryan Tate of Gawker. App2. 150,
273, 349. The record does not indicate the state in which Tate was located, but
there was no evidence that Tate was in New Jersey. See App2. 349, 359, 599-600,
602-03. When Gawker ran its story, it did not publish the list of email addresses.
App1. 8. As the evidence at trial showed, the Gawker article included only a small
number of redacted email addresses, none of which were of users in New Jersey.
Id. Contrary to the government’s claim, no disclosure of any New Jersey email
21
address occurred in New Jersey or was even viewable over the Internet from a
New Jersey location.
The government is also wrong in claiming New Jersey can regulate purely
out of state conduct under the Dormant Commerce Clause, thus permitting a
statutory interpretation of New Jersey criminal law to cover transactions entirely
outside New Jersey. GB 61. The government relies on dicta from McBurney v.
Young, 133 S.Ct. 1709 (2013), to suggest that the Dormant Commerce Clause only
protects against “protectionist measure[s].” GB 61 (citing McBurney, 133 S. Ct. at
1719-20). To the contrary, “a statute that directly controls commerce occurring
wholly outside the boundaries of a State exceeds the inherent limits of the enacting
State’s authority and is invalid regardless of whether the statute’s extraterritorial
reach was intended by the legislature.” Healy v. Beer Institute, Inc., 491 U.S. 324,
336 (1989) (internal quotations omitted).
In this case, the United States wants to construe New Jersey’s computer
crime law to have exactly the extraterritorial control that the dormant Commerce
Clause forbids. Further, the government’s statutory construction of New Jersey
criminal law would not only apply to prosecutions brought under N.J. Stat. Ann.
§ 2C:20-31(a), but to all of New Jersey’s criminal laws, or at least all of New
Jersey’s computer crime laws, which share the same territorial reach. See AB 37.
The United States wants New Jersey law to reach out and regulate transactions
22
throughout the entire country – if not the entire world – whenever anyone
anywhere does anything that might impact New Jersey residents. GB 60. The
Dormant Commerce Clause forbids such a law.
See, e.g., PSINet, Inc. v.
Chapman, 362 F.3d 227, 240-41 (4th Cir. 2004) (enjoining Virginia Internet
regulation); American Civil Liberties Union v. Johnson, 194 F.3d 1149, 1160-61
(10th Cir. 1999) (enjoining a New Mexico Internet regulation); Center For
Democracy & Technology v. Pappert, 337 F.Supp.2d 606, 662 (E.D. Pa. 2004)
(striking down Pennsylvania law on Internet filtering that regulated all websites
viewable from Pennsylvania because the law “has the practical effect of exporting
Pennsylvania’s domestic policies” nationwide); American Libraries Ass’n v.
Pataki, 969 F.Supp. 160, 173-75 (S.D.N.Y. 1997).
There is no New Jersey precedent interpreting the territorial scope of its
computer crime statutes. The language of the territorial limit is vague, leaving
uncertain whether the New Jersey legislature intended it to have extraterritorial
effect. This Court should reject the government’s novel and unprecedented
interpretation by construing the New Jersey statute to not extend to purely
extraterritorial offenses in light of constitutional concerns. See Miller v. French,
530 U.S. 327, 335 (2000) (“[C]onstitutionally doubtful constructions should be
avoided where ‘fairly possible.’”) (citing Communications Workers v. Beck, 487
23
U.S. 735, 762 (1988)). So construed, the conduct of Auernheimer and Spitler did
not violate N.J. Stat. Ann. § 2C:20-31(a).
III.
THE GOVERNMENT CANNOT DEFEND AUERNHEIMER’S
CONVICTION ON COUNT 2 BASED ON A NEW THEORY OF
LIABILITY NEVER PRESENTED TO THE JURY.
The government’s defense of Count 2 begins by claiming that plain error
review should apply because Auernheimer’s sufficiency argument was not raised
in precisely the same form at trial. GB 63, n. 21. The government is wrong again.
As noted earlier, “a timely motion for acquittal under Rule 29(c) will preserve a
sufficiency-of-the-evidence claim for review, irrespective of whether the defendant
raised the claim at trial.” Miller, 527 F.3d at 62. Auernheimer is challenging the
sufficiency of the evidence under Count 2, and he filed a timely motion for
acquittal both under Rule 29(a) under Rule 29(c) on that count. See App2. 339,
729-31. His claim is therefore preserved for de novo review. See Walker, 2013
WL 3481682 at *1, Pavulak, 700 F.3d at 668.
On the merits, the Government defends the conviction for Count 2 by
introducing a theory of liability never presented to the jury. Count 2 charged
Auernheimer with identity theft in violation of 18 U.S.C. § 1028(a)(7). At trial, the
government argued that Auernheimer violated Count 2 by possessing the
email/ICC-ID pairings and then transferring them to Gawker in relation to the prior
24
offense of violating the CFAA by using the program to collect the email addresses.
The prosecutor argued to the jury that it should convict on Count 2 on that basis:
So with those e-mail addresses and those ICC-IDS that the defendant
possessed and transferred to Gawker, were those means of
identification? The evidence is clear that they were. And how do you
know? The defendant possessed and transferred e-mail addresses to
Gawker. . . . We know the information the defendant possessed and
transferred were means of identification.
App2. 598-99.
In response to Auernheimer’s challenge to the conviction on Count 2, the
government now defends the conviction on appeal by switching to an entirely
different argument. For the first time, the government advances a new appellate
theory that Auernheimer violated § 1028(a)(7) because he “used” the ICC-IDs by
entering them into Spitler’s program before the unauthorized access was
committed in order to collect the e-mail addresses from AT&T’s website. See GB
64-65 (“Auernheimer mistakenly focuses on his ‘transfer’ of the e-mail addresses.
But the correct focus should be on his ‘use’ of the ICC-IDs. Auernheimer used the
ICC-IDs, which qualified as a means of identification, ‘with the intent to commit’
the federal crime of unauthorized computer access.”).
The government introduces this new theory to try to satisfy the dual
criminality requirement of § 1028(a)(7) that was absent at trial. See AB 39-41. By
switching to a new theory of liability, the Government can now articulate two
offenses: First, the use of the ICC-IDs in violation of the CFAA, and second, the
25
disclosure of the email/ICC-ID pairings to Gawker in violation of New Jersey law.
See GB 66-67. On that basis, the Government argues that the conviction in Count
2 should be affirmed. See id.
The government’s creative reimaging of its case fails because of a bedrock
principle of appellate review: An appellate court “cannot affirm a criminal
conviction on the basis of a theory not presented to the jury.” Chiarella, 445 U.S
at 236; see also Dunn v. United States, 442 U.S. 100, 107 (1979) (“[A]ppellate
courts are not free to revise the basis on which a defendant is convicted simply
because the same result would likely obtain on retrial”). For an appellate court to
affirm a conviction based on the sufficiency of the evidence, the court can only
consider the argument that the government actually “built its case” on as “part of a
coherent theory of guilt” at trial. Cola v. Reardon, 787 F.2d 681, 693 (1st Cir.
1986).
The government’s new argument for why Auernheimer violated Count 2
must be rejected because it was never presented to the jury. The prosecutors never
argued that including the ICC-IDs in the website addresses was a prohibited “use”
of those numbers. Further, recall that Count 2 was not charged as a conspiracy.
See App1. 16. Given that Spitler was the one who “used” the ICC-IDs, not
Auernheimer, the government would have needed to instruct the jury on the
principles of accomplice liability to allow the jury to decide whether Auernheimer
26
aided and abetted Spitler’s “use.” The government never asked for an aiding and
abetting instruction, however, and the jury never received one. See App2. 708-09.
Because the government’s new theory was never presented to the jury – and the
jury did not even receive the instructions needed to assess this new argument – the
Court cannot affirm the conviction on that basis.10
IV.
VENUE WAS IMPROPER IN NEW JERSEY ON BOTH COUNTS
Even if this Court concludes that Auernheimer was guilty of both Counts, the
Court must vacate the convictions because the government failed to establish
venue in the District of New Jersey. The Government presents a series of novel
arguments for why venue was proper in New Jersey. None of their arguments are
persuasive.
A.
The “Substantial Contacts” Test Cannot Establish Venue Because
it is a Limitation on Venue and Not a Test to Establish It.
The government’s first argument is that venue was established under the
“substantial contacts” test referred to in United States v. Goldberg, 830 F.2d 459,
466 (3d Cir. 1987) (quoting United States v. Reed, 773 F.2d 477, 480-81 (2d Cir.
1985)). The government presents the substantial contacts test as a “broader test”
than the crucial elements test found elsewhere in Third Circuit caselaw. GB 70.
10
Such an argument would have been an uphill battle for a range of reasons,
among them that ICC-IDs taken alone are not “means of identification.” See
United States v. Mitchell, 518 F.3d 230, 235 (4th Cir. 2008) (use of another
person’s name not enough in and of itself to be use of a “means of identification”
for § 1028 since name may not be “sufficiently unique”).
27
The government then argues that venue exists under the substantial contacts test
even if no crucial elements of the offenses occurred in New Jersey. Id. at 71-7311
The Government’s argument reflects a simple misunderstanding of the
substantial contacts test. The substantial contacts test is a constitutional limitation
on venue, not a means of establishing venue. See United States v. Davis, 689 F.3d
179, 186 (2d Cir. 2012) (quoting Reed, 773 F.2d at 481) (“To comport with
constitutional safeguards,” venue “require[s] more than ‘some activity in the situs
district’; instead, there must be ‘substantial contacts . . . .’”); Goldberg, 830 F.2d at
466 (describing the substantial contacts test as the test that “[t]he constitution
requires”). In other words, establishing venue requires the government to satisfy
both the statutory essential elements test and also the constitutional substantial
contacts test. See United States v. Royer, 549 F.3d 886, 895 (2d Cir. 2008) (noting
that “venue must not only involve some activity in the situs district but also satisfy
the ‘substantial contacts’ test”); Saavedra, 223 F.3d at 93.
Further, it is unclear whether the Third Circuit has adopted the substantial
contacts test. The Second Circuit established the test in Reed in 1985, and a few
other circuits have discussed it since then. See, e.g., United States v. Muhammad,
502 F.3d 646, 652 (7th Cir. 2007); United States v. Williams, 274 F.3d 1079, 1084
11
The “crucial elements” test is another term for the “essential conduct elements”
test. Compare United States v. Pendleton, 658 F.3d 299, 303 (3d Cir. 2011)
(“crucial element”), with United States v. Saavedra, 223 F.3d 85, 90 (2d Cir. 2000)
(“essential conduct element”).
28
(6th Cir. 2001); United States v. Cofield, 11 F.3d 413, 417 (4th Cir. 1993).
However, it is uncertain whether the Third Circuit adopted the test. This Court’s
decision in Goldberg quoted from Reed, to be sure, but without the context or
explanation needed to know if the court was adopting it as Third Circuit precedent.
See Goldberg, 830 F.2d at 466. And the Third Circuit has not mentioned the
substantial contacts test since Goldberg in over a quarter of a century of
subsequent caselaw.
Supreme Court decisions after Goldberg explain why this Court has not
cited the substantial contacts test since 1987. At the time of Reed and Goldberg,
the precise relationship between the substantial contacts test and statutory venue
requirements was uncertain. The Supreme Court’s subsequent decisions in United
States v. Cabrales, 524 U.S. 1 (1998), and United States v. Rodriguez-Moreno, 526
U.S. 275 (1999), established a rigorous elements-based approach to interpreting
venue under statutory law. “[T]he focus in those cases on the actual elements of
the crime” was “inconsistent with the substantial contacts standard insofar as it
would establish venue based on an ‘effect’ that is not an element of the crime.”
4 Wayne R. LaFave, et al., Criminal Procedure § 16.2(e) (3d ed. 2012).
Put another way, the Supreme Court’s decisions have not eliminated the
“substantial contacts” test, but they have rendered the test irrelevant to whether
venue exists based on effects of a crime. Because statutory venue cannot exist
29
based on a claimed effect that is not a statutory element of the crime, see United
States v. Clenney, 434 F.3d 780, 782 (5th Cir. 2005) (per curiam), the
constitutional substantial contacts test cannot play a role in determining venue in
such cases. At most, the substantial contacts test will only provide an additional
alternative basis for the conclusion that no venue existed. See, e.g., United States
v. Alvarado, --- F.Supp.2d ----, 2013 WL 3816692 at *4 (E.D.Wis. 2013) (finding
no venue in Wisconsin where a prisoner in Oklahoma threatened to kill his
probation officer located in Wisconsin under both the elements test and substantial
contacts test).
For these reasons, the government’s effort to establish venue based on the
“substantial contacts” test cannot succeed.
B.
The Government Cannot Establish Venue for Count 1 by
Invoking the Prosecutor’s Decision to Charge Count 1 as a Felony
Using a New Jersey Statute.
The Government next argues that venue exists for Count 1 under the “crucial
elements” test because it charged Auernheimer with a conspiracy to violate the
CFAA in furtherance of a New Jersey law.
In the Government’s view, the
prosecutor’s decision to charge Count 1 using a felony enhancement based on a
New Jersey law violation creates venue in New Jersey. GB at 75-77.
The government’s argument is incorrect. When Congress “makes an offense
dependent on proof of an antecedent crime, that language will not support venue.”
30
United States v. Oceanpro Indus., Ltd., 674 F.3d 323, 329 (4th Cir. 2012). This
reflects the basic principle that Congress, not the prosecutor, decides where venue
is proper.
See Travis v. United States, 364 U.S. 631, 634 (1961) (“[V]enue
provisions in Acts of Congress should not be so freely construed as to give the
Government the choice of a tribunal favorable to it.”) (internal quotation marks
omitted).
The Fourth Circuit’s decision in United States v. Bowens, 224 F.3d 302 (4th
Cir. 2000), is illustrative.
Bowens was charged with harboring fugitives in
violation of 18 U.S.C. § 1071, which prohibits “harbor[ing] or conceal[ing] any
person for whose arrest a warrant or process has been issued under the provisions
of any law of the United States, so as to prevent his discovery and arrest[.]” After
arrest warrants had been issued in the Eastern District of Virginia, Bowens
harbored the two fugitives within the district of South Carolina. Bowens, 224 F.3d
at 305-07.
The Fourth Circuit held that venue was improper in the Eastern District of
Virginia even though the predicate crime was established by arrest warrants there.
The court conceded that “issuance of a federal arrest warrant” in Virginia was “an
essential element of the government's case.” Id. at 309. Nonetheless, venue was
improper in Virginia because venue was “limited to the place where the essential
conduct elements occur, without regard to the place where other essential elements
31
of the crime occur[.]” Id. (emphasis added). The government could charge the
defendant with harboring fugitives only in South Carolina, where the essential
conduct of harboring the fugitives took place. See id.
Bowens explains why the government’s choice to invoke a predicate state
offense in Count 1 cannot establish venue in the state where that law originates.
The predicate state law violation has no impact on the “essential conduct” that
Congress prohibited. Just as the Virginia warrants in Bowens could not establish
venue in Virginia, so the government’s claim that the conduct also violated New
Jersey law cannot establish venue in New Jersey. A prosecutor’s decision to pick a
New Jersey law as a possible felony enhancement no more creates venue in New
Jersey than would picking a federal law create venue in every federal district.
The government’s reliance on Rodriguez-Moreno is misplaced.
Under
Rodriguez-Moreno, the key distinction is between an “essential conduct element”
that establishes venue and a “circumstance element” that does not. 526 U.S. at 280
n. 4 (citing Cabrales, 524 U.S. at 7). An “essential conduct element” describes the
act that the defendant committed, while the “circumstance element” describes the
circumstances that existed at the time of his act. Id. The felony enhancement
cannot create venue in New Jersey under Rodriguez-Moreno because it is a
circumstance element rather than an essential conduct element.
32
This is clear from both the plain text of the felony enhancement and its
location in 18 U.S.C. § 1030.
The felony enhancement does not appear in
§ 1030(a), the part of the CFAA that identifies criminal conduct.
Instead, it
appears in § 1030(c), which states the statutory maximum punishments for
different CFAA offenses. Consider the language of the felony enhancement as a
whole:
(c) The punishment for an offense under subsection (a) or (b) of this
section is— . . . (2)(B) a fine under this title or imprisonment for not
more than 5 years, or both, in the case of an offense under subsection
(a)(2),. . . if— (i) the offense was committed for purposes of
commercial advantage or private financial gain; (ii) the offense was
committed in furtherance of any criminal or tortious act in violation of
the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000[.]
18 U.S.C. § 1030(c)(2). This language does not describe “essential conduct” that
Congress prohibited. Instead, it merely identifies various circumstances in which
“an offense under subsection (a) or (b)” is punished as a 5-year felony instead of a
misdemeanor. Id. The circumstances do not change the underlying offense or
expand venue.
They merely change the maximum statutory punishment at
sentencing. Because they are only circumstance elements, they are not essential
conduct elements and cannot establish venue. See United States v. Coplan, 703
F.3d 46, 78-79 (2d Cir. 2012); United States v. Strain, 396 F.3d 689, 694 n.5 (5th
Cir. 2005).
33
Clenney is also on point. Clenney lived in the Southern District of Texas,
and he had fathered a child who lived with his mother in the Northern District of
Texas. Clenney, 434 F.3d at 781. When the child was visiting Clenney in the
Southern District, Clenney kidnapped the child and took him to Belize.
Id.
Clenney was charged in the Northern District with removing a child from United
States “with intent to obstruct the lawful exercise of parental rights” in violation of
18 U.S.C. § 1204. The government argued that venue was proper in the Northern
District because he had formed the relevant intent in the Northern District and
because the mother’s parental rights were affected in the Northern District.
Clenney, 434 F.3d at 781.
The Fifth Circuit rejected the government’s argument and reversed the
conviction, ruling that venue was improper in the Northern District because no
essential conduct element of the crime occurred there. Id. at 781-82. The forming
of the required intent was merely a circumstance that existed when Clenney acted,
not the act itself. Id. at 782. As a result, the intent was “plainly not an essential
conduct element as required by Rodriguez-Moreno” and could not establish venue.
Id. (quotations omitted). The effect on parental rights in the Northern District was
similarly irrelevant because it was not an essential conduct element of the crime.
Id. The reasoning of Clenney is fully applicable here: Neither a circumstance
34
element of the crime nor alleged affects of the crime can create venue in New
Jersey because no essential conduct element was committed there.
C.
The Government Cannot Establish Venue for Count 1 Based on a
Failure to Act in New Jersey.
The government next claims there was venue in New Jersey for Count 1
because Spitler and Auernheimer had a legal obligation to obtain explicit
authorization from 4,500 New Jersey residents before using their ICC-ID numbers
to access AT&T’s servers. GB 80. The failure to do so implicitly took place in
New Jersey, the government contends, making venue proper there. Id.
The government’s argument is wrong.
There is no support for the
government’s view that the failure of a person to take steps to nullify a criminal act
establishes venue wherever that failure to nullify a criminal act occurs. “[V]enue
is limited to the place ‘where the criminal act is done.’” Bowens, 224 F.3d at 309
(quoting in part United States v. Anderson, 328 U.S. 699, 705 (1946)). There is no
precedent for the government’s claim that venue additionally lies in any district
where a hypothetical act could have occurred that would have prevented the
offense. Cf. Clenney, 434 F.3d at 782.
The government’s authority is a sentence found in a treatise that “[i]f the
statute makes it a crime to fail to do some act required by law, the failure takes
place in, and the proper venue is, the district in which the act should have been
done.”
GB 80 (citing 2 Charles Alan Wright, et al., Federal Practice and
35
Procedure § 302 (4th ed. 2013)). That sentence offers no support here, however,
as that that rule only applies when the law expressly mandates an act and therefore
criminally punishes the omission of that act. See Wright, supra. Examples of such
crimes include the failure to pay income taxes, failure to sign up for the draft, and
the failure to pay child support. Id.; see generally Wayne R. LaFave, Criminal
Law § 6.2 (4th Ed. 2003) (discussing crimes of omission).
When the government creates a criminal offense that mandates an
affirmative act, the failure to act creates venue where the criminal omission occurs.
See Wright, supra. But that guidance has no relevance to the CFAA, as the CFAA
does not mandate any conduct. Like most criminal statutes, the CFAA permits
inaction and punishes prohibited acts. It does not mandate actions and punish
inaction. As a result, venue standards for crimes of omission are irrelevant.12
D.
Venue Was Not Established for Count 1 When an FBI Agent In
New Jersey Read About the Alleged Offense Over the Internet.
The Government’s next argument is that venue was proper for Count 1
12
Even if the court accepted the government’s novel “failure to act” theory of
venue, it would not establish venue in this case. As with all trespass statutes, the
right to control authorization belongs to property owner. See, e.g.,Verizon Nw.,
Inc. v. Main St. Dev., Inc., 693 F. Supp. 2d 1265, 1278 (D. Or. 2010). A property
owner may confer rights to access his property to others, but it retains the ultimate
right to control its property. In the context of the CFAA, the computer owner
controls access rights on the computer. See Brekka, 581 F.3d at 1133. If
“permission” needs to be obtained to access a computer, the source of that
permission is from the owner rather than the user. As a result, even under the
government’s theory, the venue for a CFAA offense would be where AT&T is
located, not where its users are located.
36
because an FBI agent in New Jersey read about the alleged crime over the Internet.
GB 84-89. The Government’s theory appears to be that the crime of Count 1
continued for a long time after the actual elements of the crime were satisfied.
After Auernheimer and Spitler conspired to violate the CFAA, as charged in Count
1, the following events occurred: First, Spitler collected the email addresses; next,
Auernheimer disclosed the email addresses to Gawker; after that, Gawker
published its story; and finally, when the Gawker story became a major news
event, an FBI agent in New Jersey visited the Gawker website and read the story.
Id. at 84-86. In the Government’s telling, all of these acts are a part of the
continuing crime, so there is venue in New Jersey where the FBI agent was sitting
when he surfed the web and stumbled across the Gawker story. Id.
The Government’s theory is incorrect. Under 18 U.S.C. § 3237, conduct
cannot establish venue after the crime has been completed. And the crime is
complete after the elements of the offense have been satisfied. For example, when
Congress punishes traveling with intent to engage in illicit sexual conduct, the
crime is completed “as soon as one begins to travel with the intent to engage in a
sex act with a minor.” Pendleton, 658 F.3d at 304. When Congress prohibits
passport fraud, the crime is complete when the false statement is made and does
not continue on to the time the application is processed. United States v. Salinas,
373 F.3d 161, 166 (1st Cir. 2004). When Congress prohibits making a false
37
statement, the crime is complete when the statement is made. United States v. Bin
Laden, 146 F.Supp.2d 373, 377 (S.D.N.Y. 2001).
Under these principles, the crime described in Count 1 was completed when
the unauthorized access occurred and the information was collected. The offense
began in California, where Spitler was located. App.2 233. The crime continued
in Arkansas, where Auernheimer was based.
Id. at 185.
The offense was
completed when Spitler accessed AT&T’s servers in Atlanta, Georgia and Dallas,
Texas, and obtained the ICC-ID/email pairings. Id. at 434-35, 443-44.
What happened afterwards was not part of the offense charged in Count 1,
and therefore what happened afterwards cannot establish venue. The offense did
not continue into New Jersey simply because the FBI agent who eventually
decided to investigate the crime happened to be in New Jersey. The investigation
that started after the Gawker story was featured on the Drudge Report is not part of
crime. Cf., Travis, 364 U.S. at 634 (noting that venue “should not be so freely
construed” as to give the Government its choice of venue); United States v.
Ramirez, 420 F.3d 134, 146 (2d Cir. 2005) (explaining that “provisions implicating
venue are to be narrowly construed”).
The government’s reliance on United States v. Rowe, 414 F.3d 271 (2d Cir.
2005), is misplaced. The Government presents Rowe as a case about “venue for
internet crimes,” and it argues that because the court found venue where a
38
government agent was located in that case it must also stand for allowing venue
here. GB 84. Not so. Rowe stands for the entirely unremarkable principle that a
crime prohibiting the distribution of an illegal communication can be prosecuted
wherever the communication was sent or received. Rowe, 414 F.3d at 279-80. Of
course that is the case: The illegal communication actually travels from one district
to another, creating venue in both districts. See, e.g., United States v. Thomas, 74
F.3d 701, 709 (6th Cir.1996) (venue for distributing illegal obscenity). That has no
relevance here, however, as the crime charged in Count 1 was not a distribution
offense.13
E.
Assuming Venue Was Proper for Count 1, Venue Was Improper
For Count 2.
The Government next asserts that venue for Count 2 was proper because it
was proper for Count 1. GB 94-95. The government bases this conclusion on the
Second Circuit’s rule that venue for an identity theft crime is proper wherever
venue is proper for the predicate crime.
See id. (citing United States v.
Magassouba, 619 F.3d 202, 203 (2d Cir. 2010)).
The Government’s argument fails on its own terms by ignoring the
indictment. The Government did not charge Count 1 as the underlying predicate
13
The Government also relies on the Magistrate Judge’s opinion in United States v.
Powers, No. 8:09-cr-00361, 2010 WL 1418172 (D. Neb. Mar. 4, 2010). GB 8789. As explained in Auernheimer’s opening brief, that case is distinguishable
because the defendant actually sent messages into the jurisdiction where the case
was charged. See AB 50, n. 19.
39
offense of Count 2. Instead, the predicate offense charged in Count 2 was a
misdemeanor violation of 18 U.S.C. § 1030(a)(2)(C) without the felony
enhancement. See App1. 6. Because the government’s case for venue on Count 1
rests primarily on the felony enhancement that charged a violation of New Jersey
law, the arguments for venue in Count 2 cannot rely on any of those arguments.
Instead, venue must be established based only on the venue of the underlying
predicate misdemeanor offense that had nothing to do with New Jersey. The
Government cannot satisfy that standard. See AB 49.
The Government also argues that venue is proper for Count 2 even if it is
improper for Count 1 “because identity fraud is a more personal victim-based harm
than computer fraud, and the residence of the victims matters far more here than
the location of the computer servers.” GB 96. This argument reflects the same
erroneous effects-based approach to venue found in its discussion of Count 1
discussed above. The fact that a crime can have effects in a district does not create
venue there. See, e.g., Clenney, 434 F.3d at 782 (finding venue improper for crime
of interfering with parental rights in the district where parent resides and the effects
of the crime are felt).
40
F.
Venue is Not Subject to Harmless Error Review.
The government concludes its venue discussion with the assertion that if
venue was improper, any error was harmless. GB 97-98. This argument must be
rejected because venue is not subject to harmless error review:
If the venue issue was properly raised in the trial court and is properly before
the appellate court, upon a finding that the proof of venue was insufficient
(either because the prosecution pursued an incorrect legal theory in placing
venue in the particular district or failed to present sufficient evidence as to
alleged events that would establish venue in the district), the conviction will
be reversed. Failure of venue will not be treated as harmless error.
LaFave, et al., Criminal Procedure, 16.1(g). Notably, the government points to no
Third Circuit case applying harmless error review to venue errors.
Instead, the government relies chiefly on a district court case from another
circuit that applied harmless error review to a venue defect. See GB 98 (citing
United States v. Hart-Williams, 967 F. Supp. 73 (S.D.N.Y. 1997)). Subsequent
circuit decisions indicate that the district court decision is not good law even in that
circuit. See United States v. Brennan, 183 F.3d 139, 149 (2d Cir. 1999); Saavedra,
223 F.3d at 100 n.5 (Cabranes, J., dissenting) (considering the possibility of
introducing a harmless error rule for venue but noting that “absent a decision by
this Court en banc, application of the harmless error rule to this case is foreclosed
by our opinion in Brennan”). It is plainly not good law in the Third Circuit, which
has never adopted a harmless error standard for improper venue.
41
Even if a harmless error rule applied, the venue error is not harmless.
Auernheimer was hauled from Arkansas to New Jersey to face a criminal
indictment in a district far from home that he had never even visited before. This
is not a case in which the defendant merely “was tried on the wrong side of the
Brooklyn Bridge.” Hart-Williams, 967 F. Supp. at 78.
Thus, the venue defects were not harmless error and the conviction must be
reversed.
V.
THE ALLEGED MAILING COSTS WERE NOT “LOSS” UNDER
THE SENTENCING GUIDELINES.
Auernheimer argued in his opening brief that the 41-month sentence
imposed upon him was improper for three reasons.
AB 51-59.
First the
government failed to prove AT&T suffered an approximately $73,000 “loss” for
purposes of the U.S. Sentencing Guideline calculations. Id. at 51-53. Second, the
alleged mailing costs did not qualify as “loss” for purposes of the CFAA, and in
turn, United States Sentencing Guideline (“U.S.S.G.”) § 2B1.1. Id. at 53-57. And
finally, the supposed mailing costs were unreasonable since email notice was
effective. Id. at 58-59. None of the government’s arguments have merit.
42
A.
The Government Failed to Prove AT&T Suffered a $73,000
“Loss.”
1.
The Standard of Review Should Be Clear Error, Not Plain
Error.
The standard of review for factual findings during sentencing, including loss
calculations under U.S.S.G. § 2B1.1, is clear error. See United States v. Dullum,
560 F.3d 133, 137 (3d Cir. 2009). A finding is “clearly erroneous” when this
Court finds a “definite and firm conviction that a mistake has been committed.”
United States v. Grier, 475 F.3d 556, 570 (3d Cir. 2007) (quoting Concrete Pipe &
Prods. of Cal., Inc. v. Constr. Laborers Pension Trust for S. Cal., 508 U.S. 602,
622 (1993) (quotation omitted)).
The government argues that the Court should review this claim under the
much more deferential plain error standard, arguing that Auernheimer failed to
raise this objection at sentencing. GB 104. The government is wrong. In his
sentencing papers, Auernheimer objected that the “evidence at trial established no
loss to AT&T,” and specifically noted that AT&T declined the probation office’s
offer to provide a statement of its losses for inclusion in the presentence report
(“PSR”). See App2. 748. He made the same objection at the sentencing hearing,
telling the district court “there was no evidence submitted at trial as to this loss by
AT&T. AT&T was given an opportunity by the Probation Department to submit
an affidavit as to its damages. It did not do so.” Id. at 762.
43
Both the sentencing papers and this colloquy make clear that Auernheimer
objected to the government’s proof on loss. The government’s position is also
undermined by the fact that Auernheimer argued the total offense level should
have been six under the Guidelines, a challenge to both the legal and factual
conclusions underpinning the PSR’s recommended sentencing range. Id. at 748.14
The proper standard of review is clear error, not plain error.
2.
Nothing in the Record Supports the “Loss” Amount.
Just as it failed to point to any evidence of the “loss” amount at trial and
sentencing, the government can point to nothing in the record below to support the
“loss” amount in its reply brief.
The sole evidence of “loss” mentioned in the government’s reply brief is the
last sentence of the criminal complaint, filed more than two years before the
sentencing, which noted “AT&T has spent approximately $73,000 in remedying
the data breach.” Id. at 58. But where this number came from is a mystery.
Despite the fact AT&T’s assistant vice president, Shirley Ramsey, testified at the
trial, she presented no evidence of the amount of loss. Id. at 212-22. Nor did the
PSR present any direct evidence – such as an invoice, receipt or expense report –
14
Nor would Auernheimer’s reference to the “$73,167 ‘loss’” in his sentencing
papers be a concession that he agreed that amount was proven. See GB at 104;
App2. 750. Rather, given the fact that both the PSR and the government’s
sentencing papers used that amount to calculate the Guideline calculations, it
would have been foolish for Auernheimer to ignore this assertion.
44
explaining how this amount was determined. While AT&T had the chance to
explain its “losses” in the PSR, it declined to do so, as Auernheimer pointed out in
his sentencing papers and before the district court. See PSR at 18, ¶ 53, App2. 748,
762.
The government has not and cannot provide this Court with information
such as how much was spent on envelopes, printing or postage. In the absence of
any actual evidence – rather than conjecture – as to how much AT&T spent, the
government failed to make a “prima facie case of the loss amount,” and thus
applying the eight-level increase under U.S.S.G. § 2B1.1(b)(1)(E) was clear error.
See United States v. Fumo, 655 F.3d 288, 310 (3d Cir. 2011); see also United
States v. Rodriguez, --- F.3d ----, 2013 WL 5630962, at *6 (11th Cir. Oct. 16,
2013) (Bowen, J., concurring) (“The Government’s cavalier disregard for the need
of further evidence, specific references to a trial transcript, or another basis upon
which the district court may make sustainable [sentencing] findings is all too
typical.”).
B.
Alleged Costs AT&T Spent Notifying its Customers Is Not
“Actual Loss” Under U.S.S.G. § 2B1.1.
Section 2B1.1 applies to both counts of conviction.
Under U.S.S.G.
§ 2B1.1(b), the offense level is increased depending on the amount of “actual” or
“intended” loss at issue in the case. U.S.S.G. § 2B1.1 app. n. (3)(A). There are
two definitions of “actual” loss relevant here. First, in general, “actual” loss is
45
defined as “the reasonably foreseeable pecuniary harm that resulted from the
offense.” Id. at app. n. (3)(A)(i). This definition could apply to either count of
conviction here.
But the Guidelines also have a broader definition of “loss”
specifically for CFAA convictions that would only apply to the conviction on
count one for conspiracy to violate the CFAA. Id. at app. n. (3)(A)(v)(III).
The claimed mailing costs fail to meet either definition of “loss” under
U.S.S.G. § 2B1.1 and thus the sentence must be reversed.
1.
The Mailing Costs Were Not “Reasonably Foreseeable
Pecuniary Harm” Under U.S.S.G. § 2B1.1.
The government claims that even if notification costs are not “loss” for
purposes of the CFAA, they would still qualify as loss for purposes of the identity
theft conviction on count two of the superseding indictment. GB 101. “Loss”
under this non-CFAA specific definition means “the reasonably foreseeable
pecuniary harm that resulted from the offense.” U.S.S.G. § 2B1.1 app. n. (3)(A)(i).
“Reasonably foreseeable pecuniary harm” means financial harm “that the
defendant knew or, under the circumstances, reasonably should have known, was a
potential result of the offense.” Id. at app.n. (3)(A)(iv). The government presents
only one argument why the alleged mailing costs were a “reasonably foreseeable”
loss: it claims many states require a company notify its customers of a security
breach and thus Auernheimer should have reasonably known that AT&T would
incur expenses to fulfill this obligation. GB 100.
46
But the government’s theory suffers from two major flaws.
First, the
government presented no evidence that AT&T was under a legal obligation to
notify its customers. Although most states have breach notification laws, many do
not include email addresses unconnected with a financial institution as the type of
information that if disclosed, triggers a disclosure requirement. Most tellingly, one
of those states is New Jersey, the state where the government charged Auernheimer
and Spitler because of the presence of 4,500 “victims” there. See N.J. Stat. Ann.
§ 56:8-161; App2. 221.15
Second, even if the government proved AT&T had a legal obligation to
notify, AT&T almost completely fulfilled that obligation with the email notice that
reached 98% of affected customers. App2. 215, 228-29, 750.
All the states
involved in this case—Arkansas, California, Georgia, New Jersey and Texas—
require a company to notify its customers of a data breach through one method of
communication, and all permit either physical mailing or electronic notification.
See Ark. Code Ann. § 4-110-105(e); Cal. Civ. Code §§ 1798.29(i), 1798.82(j); Ga.
Code Ann. §§ 10-1-911(4), 10-1-912(a); N.J. Stat. Ann. § 56:8-163(d); Tex. Bus.
& Com. Code Ann. § 521.053(e). Assuming Auernheimer should have reasonably
15
Arkansas and California—the states where Auernheimer and Spitler were
physically located – also did not include email addresses unconnected to a
financial institution in their definitions of “personal information” that trigger
disclosure requirements at the time Spitler accessed the email addresses. After the
conviction, California changed its law to include all email addresses. See Ark.
Code Ann. § 4-110-103(7); Cal. Civ. Code §§ 1798.29(g), 1798.82(h).
47
foreseen that AT&T was going to notify its customers of the breach, it was
unforeseeable that AT&T would duplicate an effective notice by also sending a
letter in the mail.
But in any event, the evidence at trial suggested AT&T chose to notify its
customers because that was AT&T’s “policy and practice,” not because it had a
legal obligation to do so.
App2. 214.
The government quotes some of the
testimony of AT&T’s Shirley Ramsey to show that AT&T considered the incident
“very, very important” and explained how AT&T customers felt “frustrated,”
“scared” and “angry.” GB 102 (quoting App2. 221). But the government omitted
an important piece of Ms. Ramsey’s testimony: her testimony that the incident was
“harmful for our reputation.” App2. 221. That omission is telling because the
Guidelines specifically state “pecuniary harm does not include emotional distress,
harm to reputation, or other non-economic harm.”
U.S.S.G. § 2B1.1 app. n.
(3)(A)(iii).
In other words, in the absence of any actual proof of a legal requirement to
notify its customers, AT&T’s business decision to address its customer’s “anger”
with a duplicate physical mailing is not “reasonably foreseeable pecuniary harm”
under the Guidelines. That means under both the CFAA count and the identity
48
theft count, the alleged mailing costs do not qualify as “loss” under U.S.S.G.
§ 2B1.1.16
2.
The Mailing Costs Were Not Loss Under the Broader Definition
of “Loss” for CFAA Convictions.
There is a second definition of “actual loss” in the Guidelines for CFAA
convictions, which
… includes the following pecuniary harm, regardless of whether such
pecuniary harm was reasonably foreseeable: Any reasonable cost to
any victim, including the cost of responding to an offense, conducting
a damage assessment, and restoring the data, program, system, or
information to its condition prior to the offense, and any revenue lost,
cost incurred, or other damages incurred because of interruption of
service.
U.S.S.G. § 2B1.1 app. n. (3)(A)(v)(III). That definition of “loss” comes from the
text of the CFAA, specifically 18 U.S.C. § 1030(e)(11), and so case law
interpreting “loss” for the CFAA applies with equal force to determining loss
under U.S.S.G. § 2B1.1. See In re Cmty. Bank of N. Virginia, 418 F.3d 277, 29596 (3d Cir. 2005) (“When Congress borrows language from one statute and
incorporates it into a second statute, the language of the two acts ordinarily should
be interpreted the same way.”) (citing Morales v. Trans World Airlines, Inc., 504
U.S. 374, 383–84 (1992)).
16
Even if the supposed mailing costs were deemed “reasonably foreseeable” for
the 2% of customers who did not receive the email notification, “loss” would be
approximately $1,460, or 2% of the alleged $73,000. That would trigger no
increase in the offense level under U.S.S.G. § 2B1.1(b)(1)(A).
49
Auernheimer’s opening brief explained the supposed mailing costs did not
qualify as “loss” for purposes of the CFAA because they were “not related to
computer impairment or computer damages” and thus “not compensable under the
CFAA.” Civic Ctr. Motors, Ltd. v. Mason St. Imp. Cars, Ltd., 387 F. Supp. 2d 378,
382 (S.D.N.Y. 2005); see also AB 54-57. “Loss” under 18 U.S.C. § 1030(e)(11),
and in turn U.S.S.G. § 2B1.1 in CFAA cases, is only intended to cover expenses
spent to investigate and fix damage, or costs incurred “because the computer
cannot function while or until repairs are made.” Nexans Wires S.A. v. Sark-USA,
Inc., 319 F. Supp. 2d 468, 474 (S.D.N.Y. 2004) aff’d, 166 Fed. App’x 559 (2d Cir.
2006) (citing In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 52122 (S.D.N.Y. 2001)).
Here, there was no damage to AT&T computers and nothing to repair. No
data was taken or destroyed and there was no interruption of service. The alleged
mailing costs were not caused by the computer access – meaning money spent to
fix a broken computer or restore service – but rather the disclosure of the email
addresses. And as one court has held in a similar situation, costs associated with
breach notification laws, assuming it was even implicated here, are not recoverable
“loss” for purposes of the CFAA. Farmers Ins. Exch. v. Auto Club Grp., 823 F.
Supp. 2d 847, 855-56 (N.D. Ill. 2011). This is consistent with other cases finding
ancillary costs unrelated to fixing or repairing a computer or restoring service do
50
not qualify as “loss” under the CFAA. See, e.g., Nexans Wires S.A., 319 F. Supp.
2d at 476-78 (travel costs to conduct a damage assessment, lost business revenue
and profits not “loss” for CFAA); Wilson v. Moreau, 440 F. Supp. 2d 81, 110
(D.R.I. 2006) (attorneys fees and litigation costs not “loss” under the CFAA).
The government makes no attempt to even engage with these cases. Instead,
it simply asserts these cases only involve “loss” for the CFAA charge, but not the
identity theft conviction. GB 101. But as explained above, the alleged mailing
costs do not qualify as “loss” under the general definition in U.S.S.G. § 2B1.1 that
applies to the identity theft conviction. And the supposed mailing costs similarly
fail to meet the definition of “loss” under the CFAA specific definition of “loss.”
As a result, the district court erred when it applied the eight level upward
adjustment in U.S.S.G. § 2B1.1(b)(1)(E).
As a result, the sentence must be
reversed.
CONCLUSION
For the reasons discussed above, Auernheimer respectfully requests this
Court overturn his convictions and sentence.
51
Dated this 25th day of October, 2013
Respectfully submitted,
/s/ Hanni M. Fakhoury
Hanni M. Fakhoury
ELECTRONIC
FRONTIER FOUNDATION
815 Eddy Street
San Francisco, CA 94109
Tel.: (415) 436-9333
Orin S. Kerr
2000 H Street, N.W.
Washington, DC 20052
Tel.: (202) 994-4775
Marcia C. Hofmann
LAW OFFICE OF MARCIA C.
HOFMANN
25 Taylor Street
San Francisco, CA 94102
Tel.: (415) 830-6664
Tor B. Ekeland
Mark H. Jaffe
TOR EKELAND, P.C.
155 Water Street
Brooklyn, NY 11201
Tel.: (718) 285-9343
Counsel for DefendantAppellant Andrew Auernheimer
52
CERTIFICATIONS
1.
I certify that a virus check was performed on the PDF file of
Appellant’s Reply Brief using McAfee Security Scan Plus.
2.
In accordance with 3rd Circuit LAR 46. 1(e), I, Hanni M. Fakhoury,
certify that I am a member of the Bar of this Court.
3.
I hereby certify that the electronically filed PDF and hard copies of
the corrected brief filed on October 25, 2013 are identical.
4.
Pursuant to Fed. R. App. P. 32(a)(7)(C), I certify as follows:
a.
This Appellant’s Opening Brief does not comply with the type-
volume limitation of Fed. R. App. P. 32(a)(7)(B) because this brief contains 12,254
words, excluding the parts of the brief exempted by Fed. R. App.
P. 32(a)(7)(B)(iii). Appellant’s Motion for Leave to File a Non-Compliant Brief
was filed on October 14, 2013, and no ruling has been issued as of today’s date;
and
b.
This brief complies with the typeface requirements of Fed. R.
App. P. 32(a)(5) and the type style requirements of Fed. R. App. P. 32(a)(6)
because this brief has been prepared in a proportionally spaced typeface using
Microsoft Word 2011, the word processing system used to prepare the brief, in 14
point font in Times New Roman font.
53
Dated: October 25, 2013
By: /s/ Hanni Fakhoury
Hanni M. Fakhoury
Counsel for DefendantAppellant Andrew Auernheimer
54
CERTIFICATE OF SERVICE
I hereby certify that I electronically filed the foregoing with the Clerk of the
Court for the United States Court of Appeals for the Third Circuit by using the
appellate CM/ECF system on October 25, 2013.
I certify that all participants in the case are registered CM/ECF users and
that service will be accomplished by the appellate CM/ECF system.
Dated: October 25, 2013
By: /s/ Hanni Fakhoury
Hanni M. Fakhoury
Counsel for DefendantAppellant Andrew Auernheimer
55
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?