Court Rejects Evidentiary and CFAA Vagueness Challenges to Conviction for Botnet Hacking Scheme
In United States v. Gasperini, the Court (Cabranes, Lynch, Carney) resolved various challenges by Fabio Gasperini, an Italian citizen, to his conviction under the Computer Fraud and Abuse Act of 1986 (“CFAA”). Gasperini was convicted following an elaborate hacking scheme in which he exploited a “backdoor” of certain internet-connected devices around the globe to seize control of the devices, used the compromised devices to search for other vulnerable devices to grow his computer army, and then unleashed his “botnet” of over 155,000 machines to generate “ad click” revenue and launch distributed denial-of-service attacks. Gasperini was ultimately arrested in the Netherlands and tried in the Eastern District of New York.
While prosecutors brought several felony charges, the jury ultimately convicted Gasperini of only a lesser-included misdemeanor offense (“computer intrusion”), which carried a maximum sentence of 1 year. (In imposing that maximum sentence, the District Court concluded that the prosecutors had proven the felony charges by a preponderance of the evidence and calculated a guidelines range of 63 to 78 months.)
On appeal, Gasperini raised several challenges to his conviction, many of which the Court disposed of in an accompanying summary order. In this published opinion, the Court rejected three remaining challenges: (1) that the CFAA is unconstitutionally vague; (2) that the district court should have suppressed evidence collected from foreign systems and by Italian law enforcement; and (3) that the district court improperly allowed prosecutors to introduce screenshots from the Internet Archive.
Gasperini claimed, for the first time on appeal, that several terms in the CFAA—such as “access” and “information”—were unconstitutionally vague since they were not explicitly defined. Reviewing this new argument for “plain error,” the Court explained that an error could be “plain” only if it was “clear under current law” and yet Gasperini failed to cite a single case that held (or even suggested) that the CFAA misdemeanor offense at issue was unconstitutionally vague. Moreover, the Court observed that there was no due process violation here since Gasperini’s hacking scheme fell “squarely and unambiguously within the core prohibition of the statute.”
Gasperini claimed that the district court should have suppressed two categories of evidence collected abroad.
First, Gasperini claimed that warrants issued to various third-parties pursuant to the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq., were impermissibly extraterritorial based on the Second Circuit’s 2016 Microsoft decision (which was subsequently vacated by the Supreme Court as moot due to the government obtaining a new warrant under the later-enacted CLOUD Act). Even assuming, arguendo, that the legal analysis in Microsoft was still correct, and that some of the data collected through the SCA warrants was located abroad, the Court nevertheless rejected Gasperini’s argument that such evidence should have been suppressed. Rather, the Court explained, Gasperini’s challenges were statutory in nature, not constitutional, and the SCA explicitly limits the relief available for any statutory violation to various civil action remedies such as damages and associated legal costs. Accordingly, even if foreign data was collected in violation the SCA, such a violation did not warrant suppressing it in Gasperini’s criminal trial. The Court explained in a footnote that five other Circuit courts have ruled likewise with respect to the unavailability of suppression as a remedy for a nonconstitutional violation of the SCA.
Second, Gasperini argued that the District Court should have suppressed evidence collected from his home by Italian law enforcement officers. According to Gasperini, since those searches were conducted at the request of U.S. law enforcement, they should have been subject to the U.S. constitutional protections of the Fourth Amendment. The Court disagreed, explaining that foreign agents are rendered “virtual agents” of U.S. law enforcement (such that U.S. constitutional protections apply) only if the U.S. agents “directed” or “controlled” the foreign agents’ conduct. This standard was not met by the mere “request” by U.S. law enforcement for a search, which was then executed by Italian officials pursuant to Italian law.
“Wayback Machine” Screenshots
Gasperini claimed that the District Court erred by permitting prosecutors to introduce into evidence historical screenshots of various websites, which had been collected from the “Internet Archive”—also known as the “Wayback Machine.” Gasperini challenged the evidence for lack of authentication, pointing to a 2009 summary order in which the Court upheld the exclusion of Wayback Machine screenshots in a civil trial (based on an abuse of discretion standard). See Novak v. Tucows, Inc., 330 F. App’x. 204 (2d Cir. 2009). However, unlike in that case, during Gasperini’s trial the government called a witness from the Internet Archive to lay a foundation for the screenshots as business records, and that witness was available to Gasperini for cross examination. Accordingly, the District Court here did not abuse its discretion by admitting those screenshots into evidence.
This short opinion breaks no new ground, but nonetheless raises some issues that will no doubt recur as there are instances of alleged computer hacking that can only be prosecuted with cross-border coordination. The Fourth Amendment ruling is consistent with a long-standing body of law about the applicability of the Fourth Amendment to evidence gathered by foreign law enforcement. See, e.g., United States v. Lee, 723 F.3d 134, 139 (2d Cir. 2013) (holding that so long as U.S. agents did not control or direct the search, the government may obtain and use at trial information gathered by foreign police even if “procedures followed in securing it did not fully comply with our nation's constitutional requirements”) (quotation and citation omitted).
By contrast, last year, in United States v. Allen, 864 F.3d 63, 101 (2d Cir. 2017), the Second Circuit held that the Fifth Amendment’s prohibition on the use of compelled testimony in American criminal proceedings does apply even when a foreign sovereign has compelled the testimony. The Fifth Amendment right against compelled self-incrimination “appl[ies] in American courtrooms even when the defendant’s testimony was compelled by foreign officials.” Allen, 864 F.3d at 82. If the Fifth Amendment restricts the use of evidence obtained by foreign officials, why shouldn’t the Fourth Amendment operate likewise? Courts have explained that this difference arises out of the purpose of the exclusionary rule. It is meant to deter Fourth Amendment violations, and foreign police—who are not restricted by the Fourth Amendment—are not likely to be deterred by a ruling in the United States. United States v. Lee, 723 F.3d at 139.
The Court’s ruling on the vagueness of the CFAA was not surprising given the procedural posture and underlying conduct in this case. However, other provisions in the CFAA—such as the term “exceeds authorized access”—have led the Circuit to apply the rule of lenity and to give the statute a more narrowly circumscribed interpretation. See United States v. Valle, 807 F.3d 508, 528 (2d Cir. 2015). Acting out of a concern that the CFAA needs to be “applied consistently by attorneys for the government,” the Department of Justice has also promulgated guidelines concerning how and when prosecutors should use the CFAA. DOJ, “Intake and Charging Policy for Computer Crime Matters,” (Sept. 11, 2014), found at https://www.eff.org/document/doj-cfaa-charging-memo-2014. Although the facts alleged here were within the heartland of what the CFAA is meant to prohibit, the Court left open the possibility that some future case might raise a meritorious challenge to this complicated statute.
-By Jason Vitullo and Harry Sandick