People v. Versaggi

OPINION OF THE COURT

Joseph D. Valentino, J.

facts

The SL-100 is the computer which runs Eastman Kodak Company’s telephone system. In Rochester, New York, Kodak has two such computers — one located at Kodak office on State Street, which operates the Kodak office telephones, and one located at the Kodak Park complex which operates the Kodak Park telephones. In the early morning hours of November 10, 1986, several telephone access lines to the Kodak Park complex in Rochester "shut down”. It took computer technicians approximately two hours to restore the lines by issuing commands on the computer. Just over a week later, on November 19, 1986, all phone lines at the Kodak office in Rochester were disconnected. This time the system repaired itself by way of a program in the computer system.

In November 1986, defendant Robert Versaggi was employed by Kodak as a computer technician responsible for maintaining and effecting repairs on the Call Defender system, the Timeplex system and the multiplexer to Colorado. He was not responsible for the SL-100 systems.

As part of his job, the defendant often was required to work from his home, for which he was provided with Kodak-owned computer equipment. He was one of a handful of technicians who had been provided with an accelerator — a security device which allowed him to "access” certain Kodak computer systems which were also equipped with accelerators, including the Tellabs local area network. Kodak also provided him with a telephone line held by New York Telephone, phone number 948-5385, for the purpose of connecting with the Kodak computers from his home. Kodak was billed directly for calls *363made on this line. As the defendant resided in Batavia, calls made to Rochester would appear as itemized long distance calls.

Just prior to the November 10th and November 19th incidents, the telecommunications supervisor, Joseph Doyle, instructed one of his technicians, David Nentarz, to set up a script file to monitor the Tellabs data channel. The Tellabs computer system serves as a data communications network router. In certain situations, a user calling from outside of Kodak would first access the Tellabs system, from which point access to other systems was possible. Technicians used Tellabs as a diagnostic route when diagnosing problems with other systems from home. Tellabs is equipped with a security device known as an accelerator. This device prevents external access to Tellabs except by those users who also have accelerators. In November, Kodak employees who had been provided with accelerators included David Nentarz, Larry Comstock, Mike Russell and defendant Robert Versaggi. These people had access to Tellabs from their homes.

The script file set up by David Nentarz monitored the first dial-in channel, corresponding to telephone number 722-6916. This program was hooked up to the Tellabs supervisory mode, or monitor port, and constantly checked for a connection with the Tellabs network. Once a user accessed another system via Tellabs, the monitor observed everything that appeared on that person’s screen, much like a hidden camera in a bank which watches customers once they come in the door. The user would not be able to detect that he was being monitored. Further, the program contained a capture function which was activated as soon as a connection with Tellabs was made. Like the film in a hidden camera, this capture program (capture) recorded on disc everything that came across the screen after the connection was in place. Capture created on floppy disc a permanent record of the user’s activity while he was connected to Tellabs through the 722-6916 channel, eliminating the need for someone to stand vigil over the screen while the script file was running.

Kodak initially investigated the matter to determine why the lines went down, and who, if anyone, had caused them to malfunction. Evidence before the investigators included printouts from the SL-100 log which documented all activity on the SL-100 systems for the time periods in question; printouts from the monitor port of the Tellabs local area network which documented all activity on Tellabs through line 722-6916 for *364the time periods in question; and two New York Telephone bills for the telephone line provided to defendant Robert Versaggi by Kodak for the dates in question. Based on this evidence, Kodak investigators determined that on each occasion, defendant Versaggi had accessed the Kodak SL-100 systems and entered commands which caused the systems to shut down phone lines.

Defendant was charged with two counts of computer tampering in the second degree (Penal Law § 156.20), a class A misdemeanor, which provides: "A person is guilty of computer tampering in the second degree when he uses or causes to be used a computer or computer service and having no right to do so he intentionally alters in any manner or destroys computer data or a computer program of another person.” The People charge that by accessing the SL-100s on two occasions and entering certain commands which caused the system to shut down phone lines, defendant altered the computer software program in violation of the statute. At a bench trial which lasted two days, the People elicited testimony from five witnesses, including two Kodak computer technicians and the supervisor of telecommunications at Eastman Kodak, defendant’s immediate boss. Much of what was heard consisted of expert testimony relating to computer operations at Kodak and the analysis of computer printouts received in evidence. Defendant did not testify; nor did he raise any defense provided by statute. (See, Penal Law § 156.50.) After trial, the defendant moved to dismiss on the ground of insufficient evidence. He further argued that the actions of which he is accused do not constitute an alteration under the statute.

LAW

This case involves perhaps the first prosecution under New York’s new computer crime statute, Penal Law article 156, which went into effect on November 1, 1986, just days before the incidents charged herein. As of yet, the statute has not been construed by any court, and the reported decisions involving prosecutions under similar statutes in other States offer little substantive guidance. (See, e.g., People v Brown, 726 P2d 638 [Colo 1986]; State ex rel. Hall v Wolf, 710 SW2d 302 [Mo 1986].)

(1) SUFFICIENCY OF THE EVIDENCE

The People’s case rests solely on circumstantial evidence. *365The defendant was not caught in the act at his computer terminal (see, e.g., Regina v Christensen, 7 CLSR 406 [Canada 1979]). Instead, the events of November 10 and November 19 were traced to him through two sets of computer printouts and two telephone bills. Where a conviction rests on circumstantial evidence, "the hypothesis of guilt should flow naturally from the facts proved, and be consistent with them, and * * * the facts proved must exclude to a moral certainty every reasonable hypothesis of innocence”. (People v Morris, 36 NY2d 877, 878 [1975], citing People v Lagana, 36 NY2d 71; People v Benzinger, 36 NY2d 29; People v Borrero, 26 NY2d 430; People v Cleague, 22 NY2d 363; cf., People v Gonzalez, 54 NY2d 729 [1981].)

The testimony shows that on both occasions someone, without any right or authority to do so, manually issued commands on the computer software causing the phone lines to disconnect. This was not disputed at trial. The real issue for the finder of fact is whether the evidence proved beyond a reasonable doubt that defendant was the perpetrator. After a careful review of the evidence, this court is convinced beyond a reasonable doubt that it was defendant who issued the commands.

Trial testimony included evidence that other methods of access to the SL-100 systems were available besides through Tellabs 6916. From this, the court was urged to draw the inference that any number of people might have been responsible for issuing commands, and that their access would have remained undetected by the Tellabs monitor port. The court must reject this theory. The commands issued to the SL-100 and captured on the Tellabs monitor are in each case identical to the commands appearing on the SL-100 log printouts. The logs revealed that no other commands were issued to the SL-100’s causing them to fail. Furthermore, the relevant time periods correspond almost exactly on the two sets of printouts. From this evidence, the court finds that on each occasion the SL-100 telephone system was accessed and reprogrammed through Tellabs channel 6916, and that this activity is recorded in the capture file printouts in evidence.

If the proof had stopped there, the court would find the evidence insufficient to convict, for there would be no conclusive evidence that it was defendant rather than another technician with an accelerator who had accessed Tellabs. Certainly, some of the evidence would have pointed towards Robert Versaggi, such as testimony that only he and David *366Nentarz had. access to the Defender control screen on November 10, and proof that the "Versaggi” PROFS account had been accessed on November 19. But these items of evidence would not lead the court to conclude beyond a reasonable doubt that defendant was the perpetrator.

The People did offer further evidence, however: the New York Telephone bills for defendant Versaggi’s Kodak-provided telephone line, phone number 948-5385. The November 10th bill reveals that a phone call was made to Tellabs channel 722-6916 at 12:10 a.m., which lasted for 34 minutes. This call corresponds to the capture file printout which shows that after initially accessing the Defender system, the user accessed the Kodak Park SL-100 at 12:11:53 and remained in that system at least until 12:33. The November 19th bill reveals that three phone calls were made to Tellabs channel 722-6916. The first call, made at 12:40 a.m. for three minutes, corresponds to the first Tellabs connection at 12:40:33. The second phone call, made at 12:50 for four minutes, though not actually reflected on the printout, corresponds to the time period during which the úser was in Tellabs but not in a host system. This call’s absence from the printout is consistent with the order of events reflected on the capture file. The third phone call, made at 1:33 a.m. for five minutes, corresponds to the SL-100 log-in time of 1:34.

After careful consideration of this evidence, I am convinced that on each occasion the illicit SL-100 commands were issued over defendant’s Kodak-provided telephone line from computer equipment in his home, and that defendant was the perpetrator.

Concerning the defendant’s intent, it should be noted that specific warnings appeared on the user’s screen and the illegal commands were entered even after these warnings appeared. Keeping in mind that the capture file could not pick up log-on times until a host system was accessed, and that the several clocks involved were not synchronized, I find that the relevant times correspond so closely as to rule out all other reasonable explanations for the origin of the commands.

Circumstantial evidence is treated with special care "not because of any inherent weakness in this form of evidence, but to ensure that the [fact finder] has not relied upon equivocal evidence to draw unwarranted inferences or to make unsupported assumptions”. (People v Way, 59 NY2d 361, 365 [1983].) The evidence here is by no means equivocal. This *367court finds that the evidence proves unequivocally and beyond a reasonable doubt that on November 10 and November 19, defendant intentionally issued commands to the SL-100 systems, causing phone lines to disconnect.

(2) "alteration” under the statute

The defendant argues that the actions for which he is charged did not constitute "alterations” under the statute. The statute (Penal Law § 156.20) provides: "A person is guilty of computer tampering in the second degree when he uses or causes to be used a computer or computer service and having no right to do so he intentionally alters in any manner or destroys computer data or a computer program of another person.” The statute also defines "computer program”: "Computer program” is property and means an ordered set of data representing coded instructions or statements that, when executed by computer, cause the computer to process data or direct the computer to perform one or more computer operations or both and may be in any form, including magnetic storage media, punched cards, or stored internally in the memory of the computer.” (Penal Law § 156.00 [2].)

The defendant has suggested that the criminal activity which took place constituted interrupting the operation of the computer system, as opposed to altering a computer program. In some States, interrupting the operation of a computer system is classified as a crime. (See, e.g., Cal Penal Code § 502 [c]; Conn Gen Stat Annot § 53a-251 [d].) This classification is absent, however, from New York’s computer crime statute. The New York State Legislature has instead chosen to focus on the activity itself rather than the result of that activity. (See, Comment, The Challenge of Computer-Crime Legislation: How Should New York Respond?, 33 Buffalo L Rev 777, 785 [1984].) Therefore, the court must look to the statute and the alleged activity to determine whether that activity is within the purview of the statute.

The software involved here was part of the SL-100 package that came from the manufacturer. Defendant contends that issuing the commands constituted merely a "use” of the program as opposed to an alteration. Clearly, the program was written so that such commands could be entered to achieve shutting down the hardware, if necessary. Defendant did not rewrite the program. In fact, Joseph Doyle testified that any generic changes in the software would have to be made by the *368manufacturer. He also testified that normally the software is executing a set of instructions which directs the hardware to provide dial tone, place calls, receive digits and other functions necessary to the operation of the telephone system. To effect changes in the hardware, it must be taken off its normal course of action and instructed to do other things. Here, the defendant changed the usual instructions to the hardware, so that instead of operating the telephone system in its normal fashion, it turned itself off.

This court finds that by issuing commands to the software which changed the instructions to the hardware, taking it off its normal course of action and shutting down the phone lines, defendant "altered” a computer program within the meaning of Penal Law § 156.20. To embrace defendant’s contention would be to require proof, not merely that the commands were issued changing the instructions, but that the software in fact had been rewritten. Such a hypertechnical statutory interpretation would certainly defy the statute’s plain language as well as its very purpose to deter this kind of activity by employees entrusted with special computer privileges.

Defendant also urges that any alteration under the statute must be permanent. In the November 10 incident, a technician spent almost two hours issuing "countercommands” on the software in order to restore the system to normal. In the November 19 incident, the system fixed itself by means of a function written into the program. But simply because a program can be fixed does not mean that it has not been altered. The statute makes it criminal to intentionally "[alter] in any manner or destroy” a program (emphasis added). An altered program which cannot be fixed most likely is destroyed. Destruction suggests permanency. As the statute distinguishes between the two forms of tampering — alteration and destruction — it must be assumed that the Legislature intended these to involve different sets of circumstances. Not only would it be inconsistent to hold that an alteration must be permanent to be punishable under the statute, but it would render the words "or destroy” a redundancy.

Finally, defendant points out that the alteration did not result in physical damage or financial damage. These are not elements of computer tampering in the second degree. As previously noted, this is not a result-oriented statute. The only time a computer tampering prosecution must focus on results is when the alteration or destruction exceeds $1,000. When *369this occurs, the crime is raised to computer tampering in the first degree, a class E felony. (See, Penal Law § 156.25 [4].) This monetary sum merely parallels the distinction between misdemeanor and felony crimes defined by the value of the property involved. (See, Donnino, Practice Commentaries, McKinney’s Cons Laws of NY, Book 39, Penal Law § 156.25, 1987 Pocket Part, at 113.) As the defendant has not been charged with a felony, there is no need to consider physical or financial damage.

Defendant’s motions to dismiss are denied. Based on the foregoing, this court finds the defendant guilty on two counts of computer tampering in the second degree.