People v. Puesan

OPINION OF THE COURT

Saxe, J.

Since 1986, when the New York State Legislature first enacted Penal Law article 156 to define and combat newly emerging computer-related crimes, the statute has undergone repeated review and revision as new forms of these crimes have continued to emerge (see L 1986, ch 514; L 1993, ch 89; L 2006, ch 558; L 2008 ch 590). As Governor Cuomo observed when he signed article 156 into law, rapid technological advances left the State “without adequate protection against the many insidious forms of computer crime” (Governor’s Mem approving L 1986, ch 514, 1986 McKinney’s Session Laws of NY at 3172). Indeed, a task force of the American Bar Association had described the “frightening spectre” of ever-increasing computer crime (see ABA Task Force on Computer Crime, June 1984 Report on Computer Crime at iii). One of the widespread forms of computer crime is the obtaining of unauthorized access to computerized private information (see Scott Charney & Kent Alexander, Computer Crime, 45 Emory LJ 931, 955 [Summer 1996]). Gaining unauthorized access to computerized information belonging to others is at the heart of the charges against defendant in this matter.

Essentially, it is asserted that, while on leave from his job as a field technician for Time Warner Cable, and therefore unauthorized to enter its offices or use its computers, defendant entered Time Warner Cable’s Northern Manhattan office and installed a *225keystroke logger* (also known as a keylogger) computer program on three of Time Warner Cable’s computers, and was able to use the information he wrongfully obtained with the keylogger to gain access to another Time Warner program that stored customers’ confidential information.

Defendant was charged with almost every offense defined in article 156, and was convicted after trial of every count: three counts of computer trespass (Penal Law § 156.10), three counts of computer tampering in the third degree (Penal Law § 156.25 [1]), one count of unlawful duplication of computer related material in the first degree (Penal Law § 156.30 [2]), and one count of criminal possession of computer related material (Penal Law § 156.35). On this appeal, he takes advantage of the paucity of case law addressing these recently defined crimes, and of the constantly changing means by which illicit access to computerized information can be achieved, to buttress his arguments that the proof failed to establish the elements of each of the crimes as defined by the statutes.

I. The Trial Evidence

On November 9, 2007, defendant was placed on disability leave from his job as a field technician for Time Warner Cable. Tom Allen, vice-president of security at Time Warner, testified that an employee who is placed on work leave is not considered an active employee; his or her access card is disabled and thus cannot be used to gain access to the company’s offices. This policy is announced in employee handbooks provided to employees, and any employee placed on leave is instructed by human resources department personnel regarding that policy. Since the public is not allowed to enter Time Warner Cable’s Northern Manhattan office, security guards are stationed outside to ensure that those entering the building have valid ID cards.

David Lopez, a head-end technician for Time Warner Cable, testified that sometime in late January or early February 2008, he arrived at work at the company’s Northern Manhattan office, located at 401 West 219th Street, and spotted defendant nearby. During a brief conversation, defendant asked Lopez for Lopez’s personal log-in and password for Time Warner Cable’s billing and customer information system, CSC, but Lopez *226refused. Defendant responded that he would find another way to get that information. Specifically, Lopez recounted, defendant said that he “might use a keylogger” to get the password he needed in order to gain access. Soon thereafter, Lopez warned Monty Harris, a Time Warner Cable crew chief and field technician, and two supervisors, Lance Giancotti and Thomas Bonelli, that defendant might do something to the computers in the company’s “service ready room.” The service ready room is accessible to all employees, and contains three computers, one main computer and two “thin client” computers. All three computers are installed with a program, CSG, that gives employees access to customers’ personal information.

It is undisputed that on February 10, 2008, defendant entered the Time Warner Cable Northern Manhattan office at 5:17 p.m., and left at 6:03 p.m. Lopez testified that at 5:30 p.m., he saw defendant using a computer in the service ready room. However, while both Lopez and Harris saw defendant using all three of those computers during that period of time, neither could see what he was doing with the computers. According to Lopez, there were approximately six other employees in the room while defendant was using the computers, but they were in a separate area of the room, not near the computers.

From the time he first saw defendant using the computers to the time he left at 6:30 p.m., Harris saw no other individual using the computers. Harris did not notify anyone about defendant’s use of the computer at the time; nor did he check the computers after defendant left.

The following morning, on February 11, Harris logged on to the computers in the service ready room and noticed that a program, Cracks, was open and running on the main computer. Harris was curious as to what the program was, and said that he visited the website and found that it was a site that showed “how to generate password keys for software.” This website and program was used to gain access to password-protected software. Harris discovered that the same program was open and running on the other two computers in the room. As Harris went to report his findings, he saw Lopez walking in to the room. He and Lopez talked, and then Harris reported his findings to Paul Hart, a foreman. Hart in turn notified supervisor Lance Giancotti about the situation, and Giancotti concluded that there had been a security breach.

Giancotti reported the security breach to Sandip Gupta, Time Warner Cable’s senior director of information technology, and *227Gupta directed Marc Rosenthal, the IT manager of network support, to go to the Northern Manhattan office to examine the three computers in the service ready room. On examining the three computers, Rosenthal noticed a program, Winvestigator, that was never installed or used by Time Warner Cable. Rosenthal took screenshots of the computers, which showed that Winvestigator was installed on each of the three computers between 5:45 p.m. and 6:15 p.m. on February 10, 2008. A search through the computers’ browser history revealed that a site called Tropical Software was visited on all three computers, and Rosenthal discovered that Winvestigator could be downloaded and purchased from that site. Rosenthal then gathered and secured the computers to take them to Time Warner’s 23rd Street office.

When the three computers arrived at Time Warner Cable’s lab on 23rd Street, Rosenthal and Gupta discovered that unplugging them had caused the hard drives to be erased on the two “thin client” computers. However, the main computer’s hard drive remained intact, and Rosenthal was able to make a copy of it to analyze without damaging the contents of the original hard drive.

Rosenthal testified that he was unable to access Winvestigator’s log file, which keeps track of the program’s information and data, and discovered it had been password protected. To gain access to that log file, Gupta purchased a “back-door” password to access Winvestigator. Rosenthal was able to gain access to the program. He discovered that the program had stored his own password as well as Giancotti’s password. The individual who installed Winvestigator on the Time Warner computers, Rosenthal testified, had set the program’s password to “lp.”

Tom Allen, Time Warner Cable’s vice-president of security, testified that on February 12, 2008, he was notified of the security problem in the Northern Manhattan office, and reported the security breach to the New York City Police Department.

On April 3, Allen and Rosenthal turned over two hard drives and a desktop computer tower to Detective Jorge Ortiz, a member of the NYPD’s Computer Crime Squad, who had received specialized training in computer forensics. Ortiz made copies of the hard drives and desktop tower and then conducted a forensic analysis on the copies. He ran a program named Net-Analysis, which analyzes the computer’s Internet history, and two malware detection programs, Gargoyle and Encase. He *228found that on February 10, 2008, at 5:32:09 p.m., someone visited the website Cracks.com, which provides individuals with access codes and key generators to access specific software. Additionally, between 5:32:58 p.m. and 5:58:19 p.m., someone visited the home page of Tropical Software, which makes Winvestigator, and downloaded the program.

Both Gargoyle and Encase showed that Winvestigator had been installed on the desktop computer on February 10, 2008, during the time period under investigation. Ortiz determined that Winvestigator’s settings were set to log keystrokes, user sign-ons, and the times that programs opened and closed. Additionally, Winvestigator was programmed to self-encrypt and not warn others that the program was running, so that anyone without the programmed password would be unable to look at the Winvestigator log file, because it would display only incomprehensible text. Ortiz determined that Winvestigator had started to log keystrokes at 5:37 p.m. on February 10, 2008.

II. Discussion

To determine the legal sufficiency of the evidence to support a conviction, the Court must view the evidence in the light most favorable to the People to decide whether any rational trier of fact, using any valid line of reasoning, could have found the elements of each crime beyond a reasonable doubt (see People v Ramos, 19 NY3d 133, 136 [2012]; People v Bleakley, 69 NY2d 490, 495 [1987]).

A. Computer Trespass

To convict an individual of computer trespass under Penal Law § 156.10, it must be shown that the individual “knowingly use[d] ... or accesse[d] a computer ... or computer network without authorization and . . . knowingly gain[ed] access to computer material.” Defendant argues that he cannot be properly convicted of accessing “computer material” because he did not gain access to the types of materials defined in the statute, and that the evidence failed to prove that he lacked authorization to use the three computers.

The term “without authorization” is defined as “access of a computer service by a person without permission ... or after actual notice to such person, that such access was without permission” (Penal Law § 156.00 [8]). While there is apparently no appellate authority on this point, the question of how to prove that use of a computer was not authorized was addressed *229in People v Klapper (28 Misc 3d 225 [Crim Ct, NY County 2010]), which considered a charge of unauthorized use of a computer (Penal Law § 156.05). The Klapper court held that no allegations supported the claim that the defendant’s access was unauthorized, because for access to be without authorization, the defendant must have had knowledge or notice that access was prohibited or “circumvented some security device or measure installed by the user” (28 Misc 3d at 230). Of course, here, evidence fully supports the finding that defendant gained access to Time Warner’s computers when he was unauthorized to do so. There is proof that Time Warner announced in its employee handbook that employees on disability leave were prohibited from entering the building, and the company deactivated those employees’ access cards; this establishes that defendant had actual notice that he lacked authorization to enter the building and to use the company’s computers. Furthermore, defendant’s request of David Lopez to use his log-in information, Lopez’s refusal, and defendant’s reply that he would find another way to access the system, support the finding that defendant was aware of his lack of authorization.

Defendant’s reliance on People v Katakam (172 Misc 2d 943 [Sup Ct, NY County 1997]) is misplaced. There, unlike here, the defendant obtained materials during a period of time when he was given free access to them; thus, his access was not “without authorization” (172 Misc 2d at 947-948). To the extent defendant argues that proof of computer trespass requires the People to show that he engaged in his conduct to gain a competitive advantage, and that they failed to do so, we note that the statute contains no such intent element; therefore, the People had no such obligation. The Katakam court discussed the defendant’s intent to gain a benefit only in the context of the charge of criminal possession of computer related material (id. at 947).

As to whether the information defendant gained access to constituted “computer material” for purposes of Penal Law § 156.10, the statutory definition of the term includes “any computer data or computer program” that “is not and is not intended to be available to anyone other than the person . . . rightfully in possession thereof . . . and which accords or may accord such rightful possessors an advantage over competitors or other persons who do not have knowledge or the benefit thereof’ (Penal Law § 156.00 [5]). With the use of user log-in information and passwords obtained through his installation of *230the keystroke-logging program Winvestigator, defendant was able to access information not intended to be available to anyone but the rightful user, namely, Time Warner and its authorized employees. Specifically, he gained access to information contained in Time Warner’s CSG system, comprising confidential information about customers’ accounts, including address, phone number, subscription, service call records, and billing and payment information, as well as a list of any problems customers reported or services they requested. Customer information such as that contained in Time Warner’s CSG system is the sort of information that businesses have an interest in protecting and keeping away from competitors (see Reed, Roberts Assoc. v Strauman, 40 NY2d 303, 308 [1976]). Accordingly, it qualifies as computer data that is not intended to be available to anyone other than the rightful possessor and that gives (or may give) the rightful possessor an advantage over competitors.

Notably, the statute requires only that defendant “knowingly gain[ ] access to computer material”; it does not require that he actually make use of the material in any way. The evidence is sufficient to establish that with the information defendant obtained by illicitly installing Winvestigator he gained access to the confidential customer information in Time Warner’s CSG system. Moreover, the testimony of David Lopez that defendant asked him for his personal log-in and password for access to the CSG system adds weight to the evidence that defendant’s actions were purposefully geared toward gaining access to information in that system.

Therefore, all the elements of computer trespass under Penal Law § 156.10 were properly found to have been established.

B. Computer Tampering

The crime of computer tampering in the third degree (Penal Law § 156.25) is established by proof of the commission of fourth-degree computer tampering (Penal Law § 156.20) along with proof of one of four aggravating factors. The fourth-degree crime is committed when the individual uses or accesses a computer without authorization and “intentionally alters in any manner or destroys computer data or a computer program of another person” (Penal Law § 156.20). We have already concluded that the evidence supports the finding that defendant used or accessed three Time Warner computers without authorization. The question is whether there is proof that defendant intentionally altered or destroyed computer data or a computer program.

*231In People v Versaggi (83 NY2d 123 [1994]), the defendant, a computer technician who worked for Eastman Kodak, was convicted of computer tampering in the second degree based on proof that he accessed the computers that operated the company’s telephone system, and issued commands that caused those computers to shut down thousands of the company’s telephone lines. He challenged the conviction by contending that he did not change the computer programs, but merely activated existing instructions which commanded the computers to shut down. The Court upheld the conviction, explaining that a computer program can be “altered,” as that term is defined by the Penal Law, merely by making it “different in some particular characteristic . . . without changing [it] into something else” (id. at 129, quoting Webster’s Third New International Dictionary at 63 [Unabridged]). Therefore, when the defendant entered Kodak’s computer systems and input commands, he “made the system ‘different in some particular characteristic’ ” even if he did not add or delete program material (id. at 131-132).

Defendant’s actions here amounted to an even clearer alteration of programs than the actions of the defendant in Versaggi. The installation of a program that secretly monitors and replicates other users’ keystrokes, and self-encrypts if the wrong password is used to attempt access to it, constitutes an alteration of the computer programs on the computers on which it was installed.

Of the four aggravating factors that can elevate fourth-degree computer tampering to the third degree, the People rely on the one specifying that the defendant did so “with an intent to commit or attempt to commit or further the commission of any felony” (Penal Law § 156.25 [1]). Defendant argues that the evidence failed to establish the commission of computer trespass, a class E felony, or the intent to commit it. However, we have already determined that there was sufficient proof that defendant knowingly accessed Time Warner’s computers without authorization, and altered their programming, thereby knowingly gaining access to computer material, specifically, Time Warner’s CSG system. Therefore, the evidence established defendant’s intent to commit a felony.

C. Unlawful Duplication of Computer Related Material

“A person is guilty of unlawful duplication of computer related material in the first degree when hav*232ing no right to do so, he or she copies, reproduces or duplicates in any manner . . . any computer data or computer program with an intent to commit or attempt to commit or further the commission of any felony” (Penal Law § 156.30 [2]).

Defendant argues that there is insufficient evidence that he duplicated or copied computer materials. Additionally, he again challenges the sufficiency of the evidence supporting the finding that he committed felony computer trespass.

The act of installing a keystroke logging program to reproduce other employees’ user IDs and passwords amounts to arranging for the duplication of that log-in information, to which defendant alone gained access. The finding that defendant arranged for the duplication of the user log-in information in furtherance of his commission of the felony of computer trespass is fully supported by the evidence.

D. Criminal Possession of Computer Related Material

As defined by Penal Law § 156.35,

“A person is guilty of criminal possession of computer related material when having no right to do so, he knowingly possesses, in any form, any copy, reproduction or duplicate of any computer data or computer program which was copied, reproduced or duplicated in violation of section 156.30 of this article, with intent to benefit himself or a person other than an owner thereof.”

The term “benefit” is defined as “any gain or advantage to the beneficiary” (Penal Law § 10.00 [17]). Defendant argues that it was not proven that he “possessed” computer related materials with the intent to “benefit” himself or that he violated Penal Law § 156.30 (unlawful duplication of computer related material in the first degree).

Having determined that there is legally sufficient evidence to establish that defendant arranged for the duplication of computer data in violation of Penal Law § 156.30, we turn to the requirement that defendant knowingly possessed the illicitly duplicated computer data. There is no requirement that defendant physically, tangibly possess the copies or duplicates of the information stored by the Winvestigator program; the statute expressly states that possession “in any form” is sufficient. Since defendant alone had access to and exercised control over the information Winvestigator duplicated, it follows that he constructively possessed such duplicated materials.

*233As to whether his possession of the illicitly duplicated computer data was “with intent to benefit himself or a person other than an owner thereof/’ defendant’s expressed desire to gain access to Time Warner’s CSG program, as well as the actions he took to gain that access, permit the inference that he intended to benefit either himself or someone else with the information he could obtain from the CSG system.

Accordingly, the judgment of the Supreme Court, New York County (Michael R. Sonberg, J.), rendered September 13, 2010, convicting defendant, after a jury trial, of computer trespass (three counts), computer tampering in the third degree (three counts), unlawful duplication of computer related material in the first degree, and criminal possession of computer related material, and sentencing him to an aggregate term of five years’ probation, should be affirmed.

Mazzarelli, P.J., Acosta, Renwick and Clark, JJ., concur.

Judgment, Supreme Court, New York County, rendered September 13, 2010, affirmed.

Keystroke loggers “capture every key typed on a particular computer” (see Wayne R. Barnes, Rethinking Spyware: Questioning the Propriety of Contractual Consent to Online Surveillance, 39 UC Davis L Rev 1545, 1552 [Apr. 2006]).