United States v. Gasperini , 894 F.3d 482 ( 2018 )


Menu:
  • 17-2479
    United States v. Gasperini
    UNITED STATES COURT OF APPEALS
    FOR THE SECOND CIRCUIT
    August Term, 2017
    (Argued: June 6, 2018     Decided: July 2, 2018)
    Docket No. 17-2479-cr
    UNITED STATES OF AMERICA,
    Appellee,
    — v. —
    FABIO GASPERINI,
    Defendant-Appellant.
    Before:
    CABRANES, LYNCH, and CARNEY, Circuit Judges.
    __________________
    Fabio Gasperini appeals from a judgment, entered after a jury trial in the
    United States District Court for the Eastern District of New York (Nicholas G.
    Garaufis, Judge), convicting him of misdemeanor computer intrusion in violation
    of 18 U.S.C. § 1030(a)(2)(C), and sentencing him to one year in prison. On appeal,
    Gasperini argues, among other things, that the computer intrusion statute is
    unconstitutionally vague; that the district court erred in denying his motion to
    suppress evidence that was seized in purported violation of the Stored
    Communications Act; and that the district court abused its discretion in allowing
    the government to introduce into evidence screenshots from the Internet Archive.
    Because we find these arguments (and, as explained in an accompanying
    summary order, all of Gasperini’s other arguments) to be meritless, we AFFIRM
    the judgment of the district court.
    SARITHA KOMATIREDDY, Assistant United States Attorney (David C.
    James, Assistant United States Attorney, on the brief), for Richard
    P. Donoghue, United States Attorney for the Eastern District of
    New York, New York, NY.
    SIMONE BERTOLLINI (Paul F. O’Reilly, on the brief), Law Offices of
    Simone Bertollini, New York, NY, for Defendant-Appellant Fabio
    Gasperini.
    GERARD E. LYNCH, Circuit Judge:
    Fabio Gasperini was convicted by a jury in the United States District Court
    for the Eastern District of New York (Nicholas G. Garaufis, Judge) of one count of
    misdemeanor computer intrusion in violation of 18 U.S.C. § 1030(a)(2)(C), a
    provision of the Computer Fraud and Abuse Act of 1986 (“CFAA”). Gasperini
    raises several challenges to his conviction. First, he contends that the statute that
    he was convicted of violating is unconstitutionally vague. Second, he asserts that
    the district court erroneously denied his motion to suppress evidence that was
    2
    allegedly collected in violation of the Stored Communications Act. Third, he
    contends that the district court abused its discretion in allowing the government
    to introduce into evidence screenshots from the Internet Archive (also known as
    the “Wayback Machine”). Gasperini makes several other arguments, which are
    addressed in an accompanying summary order. Because we are not persuaded
    by any of Gasperini’s arguments, we AFFIRM the judgment of the district court.
    BACKGROUND
    The evidence discussed below is taken from the trial record. Insofar as it
    relates to the offense of conviction, the evidence is viewed in the light most
    favorable to the government, and we draw all reasonable inferences in its favor.
    United States v. Guadagna, 
    183 F.3d 122
    , 125 (2d Cir. 1999). As it relates to the
    sentencing issues discussed in the accompanying summary order, “we review
    the District Court’s factual findings relevant to a sentencing determination for
    clear error.” United States v. Johnson, 
    378 F.3d 230
    , 238 (2d Cir. 2004). In order to
    vacate such findings, “we must view the evidence in the light most favorable to
    the government and nevertheless find to be impermissible the factual
    determinations based upon that favorably-viewed evidence.” 
    Id. 3 In
    2014, a virus began infecting QNAP-brand devices.1 Computer security
    experts who detected the virus determined that the attacker behind the virus was
    attempting to covertly infiltrate computers. The attacker targeted QNAP
    computers, which do not log external internet connections, and used an often-
    overlooked port to access the computers. The virus installed malware, which
    included several commands for the computer to execute, in hidden directories on
    the infected computers. Once a computer was infected, the attacker installed a
    “backdoor” account, which had the status of a “superprivileged user,” with
    unrestricted access to and control over the computer’s data. After creating the
    backdoor account, the attacker patched the initial vulnerability that had allowed
    him access, thereby locking out other hackers. The infected computer was then
    instructed to scan the internet for other computers with the same vulnerability
    and infect them. In this way, the attacker created what is known as a “botnet” – a
    network of infected computers under the attacker’s control. An analysis of one of
    the servers used in the scheme revealed that more than 155,000 computers were
    infected worldwide. Many of those computers were located in the United States.
    1
    QNAP Incorporated is a company headquartered in Taiwan, with offices and
    warehouses in California, that manufactures and sells “network attached
    storages,” which are computers specifically designed for the storage of data.
    4
    The virus’s commands accomplished different tasks. One command was
    designed to take certain username and password files from the infected
    computers and copy them onto a server. Another caused the infected computer
    to disguise itself as a human browsing the internet, and to click on certain banner
    advertisements. Yet another command prompted the botnet to launch
    coordinated attacks on certain websites, a practice known as distributed denial-
    of-service attacks.
    United States investigators identified Gasperini, an Italian citizen, as the
    creator of the virus and perpetrator of the various attacks because he leased and
    operated several servers around the world that were used to host the malware
    and communicate with the infected computers. A search of Gasperini’s email
    account also found a “test” copy of the computer virus that was initially used to
    infect QNAP computers, and emails from Gasperini expressly referencing several
    of the scripts installed on the infected computers.
    Evidence later adduced at trial also linked Gasperini to a related “click
    fraud” scheme, in which the botnet computers were commanded to click on
    certain advertisements. Business records showed that several websites implicated
    in the scheme were registered in Gasperini’s name. Additionally, Gasperini
    5
    contracted with an Italian advertising company to earn money for each
    advertisement viewed on these websites. Finally, evidence at trial tended to show
    that Gasperini monitored the operation. This included emails from his servers
    reporting “clicks completed” and a photograph of his home computer
    commanding his botnet to click on an advertising banners. After his arrest in the
    Netherlands, Gasperini deleted the contents of his Google account, deactivated
    his Facebook account, and instructed someone to discard the hard drives in his
    home and erase others.
    A grand jury charged Gasperini with felony crimes of computer intrusion
    with intent to defraud, for financial gain, and in furtherance of criminal acts; wire
    fraud conspiracy; wire fraud; and money laundering. After a seven-day jury trial,
    he was acquitted of all felony charges, and was convicted only of misdemeanor
    computer intrusion in violation of 18 U.S.C. § 1030(a)(2)(C), a lesser-included
    crime within one of the computer intrusion felonies charged in the indictment.2
    At sentencing, the trial judge found that the government had proven, by a
    preponderance of the evidence, that Gasperini had committed the felony offenses
    2
    The misdemeanor offense lacks the aggravating purpose element of the felony
    charged in the indictment. See 18 U.S.C. § 1030(c)(2) (establishing escalating
    penalties for violations of § 1030(a)(2) under various circumstances).
    6
    with which he was charged. Accordingly, those crimes were considered as
    relevant conduct in calculating the applicable Guidelines range, resulting in a
    range of 63 to 78 months’ incarceration, which was capped by the statutory
    maximum of imprisonment for one year. The district court sentenced Gasperini
    principally to that statutory maximum. He now appeals from that conviction.3
    DISCUSSION
    I.       Vagueness
    The statute under which Gasperini stands convicted punishes anyone who
    “intentionally accesses a computer without authorization . . . and thereby obtains
    . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C).
    Gasperini argues that the statute is unconstitutionally vague because it does not
    define the terms “access,” “authorization,” and “information,” and because the
    definition of “protected computer” in § 1030(e)(2) is overbroad.
    Because Gasperini did not raise this challenge below, we review it for plain
    error. United States v. Boyland, 
    862 F.3d 279
    , 288 (2d Cir. 2017), cert. denied, 138 S.
    Ct. 938 (2018). When reviewing for plain error under Federal Rule of Criminal
    Procedure 52(b), an appellate court has discretion to correct an error not raised at
    3
    Gasperini has served his sentence and has been deported to Italy.
    7
    trial only where the appellant demonstrates that “(1) there is an error; (2) the
    error is clear or obvious . . . ; (3) the error affected the appellant’s substantial
    rights . . . ; and (4) the error seriously affects the fairness, integrity[,] or public
    reputation of judicial proceedings.” United States v. Marcus, 
    560 U.S. 258
    , 262
    (2010) (internal quotation marks and brackets omitted).
    Gasperini cannot clear the hurdle set by the second of these requirements.
    “At a minimum, a court of appeals cannot correct an error pursuant to Rule 52(b)
    unless the error is clear under current law.” United States v. Olano, 
    507 U.S. 725
    ,
    734 (1993); see also Rosales-Mireles v. United States, 
    138 S. Ct. 1897
    (2018). Gasperini
    cites no authority from any court – let alone one whose decisions are binding on
    us – holding, or even suggesting, that § 1030(a)(2)(C) is unconstitutionally vague.
    Accordingly, we cannot conclude that the district court plainly erred by not sua
    sponte dismissing the indictment on that ground.
    In any event, Gasperini has not identified a due process violation here. “A
    conviction fails to comport with due process if the statute under which it is
    obtained fails to provide a person of ordinary intelligence fair notice of what is
    prohibited, or is so standardless that it authorizes or encourages seriously
    discriminatory enforcement.” United States v. Williams, 
    553 U.S. 285
    , 304 (2008).
    8
    We apply this standard in the context of the facts at issue, because, outside of the
    First Amendment context, an individual “who engages in some conduct that is
    clearly proscribed cannot complain of the vagueness of the law as applied to the
    conduct of others.” 
    Id. Even if
    we assume, arguendo, that the statute’s application may be unclear
    in some marginal cases (including some fanciful possibilities conjured in
    Gasperini’s appellate brief), Gasperini’s conduct falls squarely and
    unambiguously within the core prohibition of the statute. “Congress enacted the
    CFAA in 1984 to address ‘computer crime,’ which was then principally
    understood as ‘hacking’ or trespassing into computer systems or data.” United
    States v. Valle, 
    807 F.3d 508
    , 525 (2d Cir. 2015), citing H.R. Rep. No. 98-894, at
    3691–92, 3695–97 (1984), and S. Rep. No. 99-432, at 2480 (1986). In this case,
    Gasperini was found by the jury to have hacked into thousands of computers
    without permission, thereby gaining access to all of the information stored on
    those computers. The jury further found Gasperini guilty of taking information,
    including usernames and passwords, from at least some of those computers.
    There is thus no doubt that all of these actions fall within the core meaning of the
    phrase “accesses a computer without authorization . . . and thereby obtains . . .
    9
    information from [a] protected computer” as the italicized terms are used in
    § 1030(a)(2)(C).4 Accordingly, Gasperini’s challenge to the constitutionality of 18
    U.S.C. § 1030(a)(2)(C) fails.
    II.   Suppression
    Gasperini next argues that the district court should have suppressed
    certain evidence introduced by the government at trial, including (1) evidence
    obtained pursuant to search warrants issued under the Stored Communications
    Act (“SCA”), 18 U.S.C. § 2701 et seq., and (2) evidence obtained during searches of
    his home in Italy by Italian law enforcement officers pursuant to warrants issued
    by Italian courts. The district court did not err with respect to either category of
    evidence.
    Gasperini first argues that the SCA warrants were extraterritorial warrants
    not authorized by that Act. He relies on this Court’s decision in Matter of Warrant
    to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 
    829 F.3d 197
    (2d Cir. 2016), vacated as moot sub nom. United States v. Microsoft Corp., 138
    4
    Gasperini’s questioning of the definition of “protected computer” is also
    meritless. The definition describes a wide range of computers, including ones
    “used in or affecting interstate or foreign commerce or communication.” 18
    U.S.C. § 1030(e)(2)(B). That standard, a familiar limitation on the reach of any
    number of federal criminal statutes, has never been found void for vagueness.
    
    10 S. Ct. 1186
    (2018), in which we held that the SCA does not apply extraterritorially,
    and does not authorize the seizure of electronic communications stored on
    servers located outside of the United States. 
    Id. at 222.5
    Even assuming that at least some of the warrants demanded and acquired
    electronic communications stored abroad,6 and that our ruling in Microsoft –
    5
    As we explained in Microsoft, SCA “warrants,” although issued only when the
    constitutional standards governing conventional search warrants are met, do not
    authorize agents to enter premises and search for evidence, but rather are served
    on a third-party holder of electronic communications and demand that the third
    party turn over the information called for in the warrant. 
    See 829 F.3d at 214
    (describing the operation of SCA warrants). In that respect, SCA warrants
    function analogously to subpoenas. See 
    id. at 226–29
    (Lynch, J., concurring in the
    judgment).
    6
    Gasperini asserts that because he lived in Italy, it is “obvious” that his emails
    and Google Drive files were stored in Google’s foreign servers. Appellant’s Br. at
    36. That assertion is far from obvious, however. Prior to our decision in Microsoft,
    Google appears to have stored user data at locations that bore no relation to the
    location of the user. See, e.g., In re Search of Content that is Stored at Premises
    Controlled By Google, No. 16-MC-80263-LB, 
    2017 WL 1398279
    , at *4 (N.D. Cal. Apr.
    19, 2017) (“Unlike Microsoft, where storage of information was tethered to a user's
    reported location, there is no storage decision here. The process of distributing
    information is automatic, via an algorithm, and in aid of network efficiency”)
    (internal citation omitted) (amended and superseded on other grounds by In re Search
    of Content that is Stored at Premises Controlled by Google, No. 16-MC-80263-LB, 
    2017 WL 1487625
    , at *1 (N.D. Cal. Apr. 25, 2017); In re Search Warrant No. 16-960-M-01
    to Google, 
    232 F. Supp. 3d 708
    , 712 (E.D. Pa. 2017) (“Google stores user data in
    various locations, some of which are in the United States and some of which are
    in countries outside the United States. Some user files may be broken into
    component parts, and different parts of a single file may be stored in different
    11
    which was vacated as moot by the Supreme Court – correctly states the law,
    suppression still would not be required, because suppression of evidence is not a
    remedy available for violation of the SCA. Congress provided a number of
    specific remedies for such violations; these do not include suppression of
    evidence in a criminal case. See 18 U.S.C. § 2707(b) (listing “appropriate relief” in
    a “civil action” as “equitable or declaratory relief,” “damages,” and “a reasonable
    attorney's fee and other litigation costs reasonably incurred”); 18 U.S.C. § 2707(d)
    (providing for “disciplinary action against the officer or employee” who violated
    the Act). Moreover, Congress expressly provided that the listed remedies are
    exclusive, stating in § 2708 that the “remedies and sanctions described in this
    chapter are the only judicial remedies and sanctions for nonconstitutional
    violations of this chapter.” (Emphasis added).7 Gasperini does not request any
    locations (and, accordingly, different countries) at the same time.”) (internal
    citations omitted). Gasperini musters no evidence to support his conclusory
    assertion that in his case, the emails and files obtained from Google had, in fact,
    been stored abroad.
    7
    Our reading of the SCA as not requiring or authorizing suppression of evidence
    for nonconstitutional violations of its provisions is consistent the rulings of our
    sister circuits that have considered the issue. See, e.g., United States v. Clenney, 
    631 F.3d 658
    , 667 (4th Cir. 2011); United States v. Guerrero, 
    768 F.3d 351
    , 358 (5th Cir.
    2014); United States v. Smith, 
    155 F.3d 1051
    , 1056 (9th Cir. 1998); United States v.
    Perrine, 
    518 F.3d 1196
    , 1202 (10th Cir. 2008); United States v. Steiger, 
    318 F.3d 1039
    ,
    1049 (11th Cir. 2003).
    12
    form of relief authorized under the SCA, nor does he argue that any of the
    purported statutory violations he identifies also violate the Constitution, and we
    find no basis for any such argument. Accordingly, the district court did not err in
    denying Gasperini’s motion to suppress the evidence collected pursuant to the
    SCA warrants.
    Gasperini’s challenge to the use of hard drives and documents obtained
    from Italian law enforcement officials who searched his home fares no better. The
    searches were conducted pursuant to an Italian warrant, and Gasperini makes no
    claim that the warrant was issued in violation of Italian law. He argues instead
    that the Italian officials acted at the behest of American law enforcement agents,
    thus making them subject to American constitutional requirements for searches.
    “In order to render foreign law enforcement officials virtual agents of the United
    States, American officials must play some role in controlling or directing the
    conduct of the foreign parallel investigation.” United States v. Getto, 
    729 F.3d 221
    ,
    230 (2d Cir. 2013). Beyond alleging that the search was conducted at the request
    of the U.S. government, however, Gasperini does not argue that Italian officials
    were controlled by American law enforcement agents. A mere request is not
    sufficient to show control. See, e.g., 
    id. (“It is
    not enough that the foreign
    13
    government undertook its investigation pursuant to an American [Mutual Law
    Enforcement Assistance Treaty] request.”) There is thus no basis for Gasperini’s
    efforts to apply to the Italian searches the constitutional standards that would
    apply to domestic searches conducted by United States officers.
    III.   The Wayback Machine
    Finally, Gasperini challenges an evidentiary ruling made by the district
    court permitting the government to introduce screenshots of various websites
    taken by the Internet Archive, more commonly known as the “Wayback
    Machine.” “A district court judge is in the best position to evaluate the
    admissibility of offered evidence. For that reason, we will overturn a district
    court’s ruling on admissibility only if there is a clear showing that the court
    abused its discretion or acted arbitrarily or irrationally.” United States v. Valdez, 
    16 F.3d 1324
    , 1332 (2d Cir. 1994) (internal citation omitted). We detect no such abuse
    of discretion here.
    Gasperini challenges the authentication of screenshots of websites
    registered to Gasperini for use in the click fraud scheme, which were captured
    and stored by the Internet Archive, and maintained as business records of that
    entity. Federal Rule of Evidence 901(a) requires that before evidence is admitted,
    14
    “the proponent must produce evidence sufficient to support a finding that the
    item is what the proponent claims it is.” That standard was amply met here.
    Gasperini relies on Novak v. Tucows, Inc., 330 F.App’x 204 (2d Cir. 2009), in
    which we affirmed a district court decision excluding screenshots from the
    Archive for lack of authentication. In that non-precedential summary order,
    however, we held only that the district court did not abuse its discretion in
    excluding the evidence in a civil trial, where the proponent of the evidence
    offered no testimony explaining its provenance. 
    Id. at 206,
    aff’g Novak v. Tucows,
    Inc., No. 06-CV-1909, 
    2007 WL 922306
    (E.D.N.Y. Mar. 26, 2007). Here, in contrast,
    the government presented testimony from the office manager of the Internet
    Archive, who explained how the Archive captures and preserves evidence of the
    contents of the internet at a given time. The witness also compared the
    screenshots sought to be admitted with true and accurate copies of the same
    websites maintained in the Internet Archive, and testified that the screenshots
    were authentic and accurate copies of the Archive’s records. Based on this
    testimony, the district court found that the screenshots had been sufficiently
    authenticated.
    15
    The Third Circuit considered the admissibility of Internet Archive records
    on a similar record in United States v. Bansal, 
    663 F.3d 634
    , 667–68 (3d Cir. 2011).
    In that case, the court found that where a witness testified, from personal
    knowledge, “about how the Wayback Machine website works and how reliable
    its contents are,” there was sufficient evidence to authenticate screenshots taken
    from that website. 
    Id. at 667.
    We agree with the holding of the court in Bansal, and
    hold that the testimony presented in this case by the government was “sufficient
    proof . . . that a reasonable juror could find in favor of authenticity or
    identification.” United States v. Tin Yat Chin, 
    371 F.3d 31
    , 38 (2d Cir. 2004).
    Gasperini was free to cross-examine the witness about the nature and reliability
    of the Archive’s procedures for capturing and cataloguing the contents of the
    internet at particular times, and the jury was thus enabled to make its own
    decision about the weight, if any, to be given to the records. Accordingly, a
    sufficient basis was laid to place the admission of the evidence well within the
    discretion of the district court, and Gasperini’s challenge therefore fails.
    CONCLUSION
    For the foregoing reasons, and those set forth in the accompanying
    summary order, we AFFIRM the judgment of the district court.
    16