Christopher Andrew Phillips was convicted of violating the Computer Fraud and Abuse Act in the Western District of Texas. The Fifth Circuit Court of Appeals affirmed.

. . . Phillips entered the University of Texas at Austin (“UT”)

in 2001 and was admitted to the Department of Computer Sciences in 2003. Like all incoming UT students, Phillips signed UT's “acceptable use” computer policy, in which he agreed not to perform port scans using his university computer account. Nonetheless, only a few weeks after matriculating, Phillips began using various programs designed to scan computer networks and steal encrypted data and passwords. He succeeded in infiltrating hundreds of computers, including machines belonging to other UT students, private businesses, U.S. Government agencies, and the British Armed Services webserver. In a matter of months, Phillips amassed a veritable informational goldmine by stealing and cataloguing a wide variety of personal and proprietary data, such as credit card numbers, bank account information, student financial aid statements, birth records, passwords, and Social Security numbers.

The scans, however, were soon discovered by UT’s Information Security Office (“ISO”), which informed Phillips on three separate occasions that his computer had been detected portscanning hundreds of thousands of external computers for vulnerabilities. Despite several instructions to stop, Phillips continued to scan and infiltrate computers within and without the UT system, daily adding to his database of stolen information.

At around the time ISO issued its first warning in early 2002, Phillips designed a computer program expressly for the purpose of hacking into the UT system via a portal known as the “TXClass Learning Central: A Complete Training Resource for UT Faculty and Staff.” TXClass was a “secure” server operated by UT and used by faculty and staff as a resource for enrollment in professional education courses. Authorized users gained access to their TXClass accounts by typing their Social Security numbers in a field on the TXClass website’s log-on page. Phillips exploited the vulnerability inherent in this log-on protocol by transmitting a “brute-force attack”

program, which automatically transmitted to the website as many as six Social Security numbers per second, at least some of which would correspond to those of authorized TXClass users.

. . . Phillips asserts that the Government failed to produce sufficient evidence that he “intentionally access[ed] a protected computer without authorization” under § 1030(a)

(5)(A)(ii) . . . Phillips’s insufficiency argument takes two parts:

that the Government failed to prove (1) he gained access to the TXClass website without authorization and (2) he did so intentionally. With regard to his authorization, the CFAA does not define the term, but it does clearly differentiate between unauthorized users and those who “exceed[ ] authorized access.” Several subsections of the CFAA apply exclusively to users who lack access authorization altogether. In conditioning the nature of the intrusion in part on the level of authorization a computer user possesses, Congress distinguished between “insiders, who are authorized to access a computer,” and “outside hackers who break into a computer.”

Courts have therefore typically analyzed the scope of a user’s authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user . . . Phillips’s brute-force attack program was not an intended use of the UT network within the understanding of any reasonable computer user and constitutes a method of obtaining unauthorized access to computerized data that he was not permitted to view or use. During cross-examination, Phillips admitted that TXClass’s normal hourly hit volume did not exceed a few hundred requests, but that his brute-force attack created as many as 40,000. He also monitored the UT system during the multiple crashes his program caused, and backed up the numerical ranges of the Social Security numbers after the crashes so as not to omit any potential matches. Phillips intentionally and meticulously executed both his intrusion into TXClass and the extraction of a sizable quantity of confidential personal data. There was no lack of evidence to find him guilty of intentional unauthorized access.

Phillips makes a subsidiary argument that because the TXClass website was a public application, he, like any internet user, was a facto authorized user. In essence, Phillips contends that his theft of other people’s data from TXClass merely exceeded the preexisting generic authorization that he maintained as a user of the World Wide Web, and he cannot be considered an unauthorized user under § 1030(a)(5)(A)

(ii). This argument misconstrues the nature of obtaining “access” to an internet application and the CFAA’s use of the term “authorization.” While it is true that any internet user can insert the appropriate URL into a web browser and thereby view the “TXClass Administrative Training System” log-in web page, a user cannot gain access to the TXClass application itself without a valid Social Security number password to which UT has affirmatively granted authorization. Neither Phillips, nor members of the public, obtain such authorization from UT merely by viewing a log-in page, or clicking a hypertext link. Instead, courts have recognized that authorized access typically arises only out of a contractual or agency relationship. While Phillips was authorized to use his UT email account and engage in other activities defined by UT’s acceptable computer use policy, he was never authorized to access TXClass. The method of access he used makes this fact even more plain. In short, the government produced sufficient evidence at trial to support Phillips’s conviction under § 1030(a)(5)(A)(ii) . . . For the foregoing reasons, the conviction and sentence are AFFIRMED.

Questions:-

1. What is the defendant’s legal argument in the appeal?
2. Should a defendant in these types of case be forced to pay restitution to the damaged parties?