United States v. Shea , 493 F.3d 1109 ( 2007 )

                    FOR PUBLICATION
UNITED STATES COURT OF APPEALS
FOR THE NINTH CIRCUIT
UNITED STATES OF AMERICA,                       No. 06-10450
Plaintiff-Appellee,
v.                                 D.C. No.
CR-03-20057-RMW
WILLIAM CARL SHEA,
OPINION
Defendant-Appellant.

Appeal from the United States District Court
for the Northern District of California
Ronald M. Whyte, District Judge, Presiding
Submitted May 14, 2007*
San Francisco, California
Filed July 11, 2007
Before: Cynthia Holcomb Hall, Diarmuid F. O’Scannlain,
and Sandra S. Ikuta, Circuit Judges.
Opinion by Judge Hall
*This panel unanimously finds this case suitable for decision without
oral argument. See Fed. R. App. P. 34(a)(2).
8287
8290                UNITED STATES v. SHEA
COUNSEL
Arthur Pirelli, San Rafael, California, for the appellant.
Amber S. Rosen, Assistant United States Attorney, San Jose,
California, for the appellee.
OPINION
HALL, Senior Circuit Judge:
Defendant William Carl Shea challenges his conviction for
intentionally causing damage to a “protected computer” with-
out authorization, in violation of 18 U.S.C. § 1030(a)(5)
(A)(i). Shea argues that the government presented insufficient
evidence to convict, and, more specifically, presented no evi-
dence that he committed a criminal act on the date alleged in
the indictment. He also argues that the district court improp-
erly denied his request for substitute counsel. We disagree
with each of Shea’s contentions and, therefore, affirm the
conviction.
I.    Background
The defendant was an employee at Bay Area Credit Ser-
vices (BACS) from August 6, 2001, until January 17, 2003.
BACS provides debt collection services, and Shea managed
the company’s database operating system, which was
designed by a company called Columbia Ultimate. In Decem-
ber 2002, Shea asked for permission to work from home
because his daughter had been diagnosed with diabetes, but
his request was denied because, as BACS CEO Michael Priest
testified, Shea had been unproductive and difficult to reach
during his previous stints working at home.
On January 6, 2003, company executives met with Shea
and gave him a “performance plan” requiring him to meet cer-
UNITED STATES v. SHEA                  8291
tain productivity targets and to communicate with his superi-
ors about any planned absences. Shea did not come in to work
on January 17 and was subsequently terminated.
On January 30, BACS discovered that its database of
debtor accounts had been corrupted. It discovered a foreign
program on its system that was coded to replace debt principal
amounts with random numbers, switch client identification
numbers and eliminate the Social Security numbers tied to
each account. The program was coded to modify 5,000
records at a time and to repeat after each batch. Later investi-
gation revealed that the program had stopped on its own
because it had run multiple, simultaneous sessions. Before the
program “hung,” however, it had corrupted approximately
50,000 entries. BACS and representatives from Columbia
Ultimate, who had designed its database software, were able
to retrieve much of the data, but the process took approxi-
mately two months to resolve and cost BACS thousands of
dollars in fees to technical support consultants.
BACS and Columbia Ultimate blamed the file corruption
on a program called “CLEAR.CF.MARKS,” which used a file
naming convention similar to other files on the BACS system.
For example, there was a CLEAR-CF-MARKS in the same
file directory. CLEAR.CF.MARKS was triggered by one line
of code in the program “Collector-Summary-II,” which was
an authorized program that ran late in the evening or early in
morning to process the previous day’s collection activities, as
logged by BACS debt collectors.
Government witnesses estimated that CLEAR.CF.MARKS
had been on the BACS system since at least December 9,
2002. They made this estimation based on the fact that on
December 9, the relevant line of Collector-Summary-II’s code
had been edited to launch CLEAR.CF.MARKS. Back-up
tapes indicated that the program had not been on the system
in September 2002.
8292                UNITED STATES v. SHEA
The government referred to CLEAR.CF.MARKS as a
“time bomb” program. Though Collector-Summary-II pre-
sumably launched the program every night since December 9,
CLEAR.CF.MARKS would not actually detonate, continuing
the government’s metaphor, until a date provided in its own
source code. Though CLEAR.CF.MARKS deleted its own
source code as part of its operation, back-up tapes revealed a
copy of the source code that set the trigger date at any date
“greater than” January 29, 2003.
Columbia Ultimate consultants assisting BACS looked
through hard drive back-up materials and network logs to
investigate the origins of the malicious program. They discov-
ered that a person using various log-in names and passwords
associated with Shea had made edits to both Collector-
Summary-II and the source code for CLEAR.CF.MARKS
during December 2002 and January 2003. Shea had been
hired specifically in 2002 to help BACS convert to the latest
release of Columbia Ultimate’s software and remained on
staff as its programmer. He had experience in many program-
ming languages including those necessary to access the IBM
“Universe” databases Columbia Ultimate designed for BACS
and to work in the code of the files it contained. In his previ-
ous jobs, Shea worked with several of the Columbia Ultimate
employees who were called in to fix the problem on January
30.
FBI Agent Andrew Myers interviewed Shea at his home on
March 28, 2003. When Agent Myers presented Shea with a
copy of the source code of CLEAR.CF.MARKS, Shea imme-
diately recognized the program as foreign to the system, and
remarked that it should have been titled CLEAR-CF-
MARKS, with dashes instead of dots. Upon a brief examina-
tion of the code, Shea noted that it would likely cause debt
amounts to be altered. He said he thought the program would
not run and would eventually “hang itself.”
When the agents pointed out that his user name had been
associated with the file, Shea initially denied authoring the
UNITED STATES v. SHEA                 8293
program and offered no hypothesis as to why his user name
was involved. Upon further questioning he stated that at the
time the code was written he was experiencing medical prob-
lems. According to the agent, Shea also said that he had “dif-
ficulty determining if events were real or if he was dreaming
them.” Shea also explained his problems with BACS, and that
he thought people at the company were “out to get him.”
The initial indictment charging Shea was returned on April
30, 2003, and was superseded by a new indictment on August
5, 2004. A Second Superceding Indictment was returned on
August 3, 2005, charging Shea with seven counts of intention-
ally causing damage to a protected computer in violation of
18 U.S.C. § 1030(a)(5)(A)(i). Each count corresponded to a
particular act of entering or editing code on seven different
dates before the program corrupted the database.
During his trial, at the close of evidence, Shea moved for
appointment of new counsel. The court denied this request.
Shea moved for dismissal of six of the seven counts, and
moved for dismissal on the remaining count under Rule 29 of
the Federal Rules of Criminal Procedure. After consulting
with the parties, the district court consolidated the counts into
count 7, which related to January 29, 2003. It did not
expressly rule on Shea’s motion to dismiss the remaining
count.
The jury convicted Shea, and the district court sentenced
him to twelve months and one day in prison. He was also
ordered to pay $40,000 in restitution. This timely appeal fol-
lowed.
II.   Sufficiency of the Evidence
“There is sufficient evidence to support a conviction if,
viewing the evidence in the light most favorable to the prose-
cution and drawing all reasonable inferences, any rational
trier of fact could have found the essential elements of the
8294                UNITED STATES v. SHEA
crime beyond a reasonable doubt.” United States v. Bazuaye,

, 863 (9th Cir. 2001); see also Jackson v. Vir-
ginia, 

, 319 (1979). “Circumstantial evidence
and inferences drawn from it may be sufficient to sustain a
conviction.” United States v. Jackson, 

, 1381
(9th Cir. 1995). When the issue of sufficiency of the evidence
is preserved by making a motion for acquittal, we review the
district court’s denial of the motion de novo. United States v.
Tucker, 

, 1214 (9th Cir. 1998).
[1] We have had rare occasion to interpret sufficiency of
the evidence under the Computer Fraud and Abuse Act, which
punishes any person who “knowingly causes the transmission
of a program, information, code, or command, and as a result
of such conduct, intentionally causes damage without authori-
zation, to a protected computer.” 18 U.S.C. § 1030(a)(5)
(A)(i). Our decisions have thus far concentrated on the issue
of damages. See, e.g., United States v. Middleton, 

(9th Cir. 2000); United States v. Sablan, 

(9th Cir. 1996). Damages are not at issue in this appeal —
only the question of the defendant’s involvement. Our analy-
sis here is therefore aided by applicable principles from deci-
sions interpreting similar criminal statutes.
[2] Wire fraud, like computer fraud, has transmission as
one of its elements. See 18 U.S.C. § 1343. To prosecute
crimes involving the element of “transmission,” the govern-
ment must offer sufficient proof that the person charged is the
same person who sent the transmission. Circumstantial evi-
dence is sufficient to prove that the transmission has occurred.
See United States v. Rush, 

, 1373 (9th Cir.
1984). We confronted a wire fraud conviction based on facts
similar to those presented here in United States v. Mullins,

(9th Cir. 1993). In that case, a trio of travel
agents had manipulated an airline’s reservation system to
transfer frequent flyer miles into sham accounts. 

The government witness testified that each of these transfers
was tied to one of the defendants’ passwords, and an FBI
UNITED STATES v. SHEA                  8295
search of their offices revealed records of the ticket sales tied
to their fake accounts. 

argued, as Shea
does in this case, that other employees could have accessed
the passwords and accounts, and that the system was gener-
ally not secure. 

Nevertheless, we observed that
there was “overwhelming” evidence to support the conviction,
despite the possibility that someone else accessed the com-
puter. 

also found analogous cases where computer trans-
missions provided the basis for the prosecution’s theory, even
if “transmission” itself was not an element of the offense. In
our review of a bank fraud prosecution, we found sufficient
evidence to support a conviction where the defendant had
deployed a computer program to alter ATM records. See
United States v. Bonallo, 

(9th Cir. 1988). We
noted that the defendant had the necessary programming
skills, and the program file was found in his own file library.

Because the government had also offered evi-
dence of the defendant’s comings and goings from the banks
in question, the sufficiency ruling did not rest on access and
programming skills alone. 

Eighth Circuit case bearing some resemblance to
Shea’s, the court found sufficient evidence to support an
extortion conviction where the defendant argued he had not
sent the e-mails at issue. See United States v. Ray, 

, 1174 (8th Cir. 2005) (per curiam). A computer expert
had testified that the e-mails were created on the defendant’s
computer and saved on that computer’s hard drive. 

mails had been sent at a time when the defendant was using
his computer, and there was no evidence of remote access to
the computer at the time. 

also showed the
defendant had the knowledge and ability to follow through on
the threats presented in the emails. 

other Eighth Cir-
cuit case, the court upheld an aiding and abetting conviction
where there was no direct evidence that the defendant had
used the computer where files had been improperly down-
8296                UNITED STATES v. SHEA
loaded. See United States v. Levine, 

, 605-06
(8th Cir. 2007). The court held that the evidence offered,
proving the defendant’s access to the computer and the defen-
dant’s motive, was sufficient. 

trial, the prosecution constructed a timeline for
the two relevant programs: Collector-Summary-II, the autho-
rized program used in the day-end process, and
CLEAR.CF.MARKS, the “time bomb,” which was launched
by Collector-Summary-II. Both the prosecution and the
defense elicited a great deal of testimony on how the BACS
computer system works. For our purposes, it is relevant to
describe the multiple levels of network and database access
available to BACS employees:
(1) BACS employees signed in to a Windows network
where each employee had a user name and could select a per-
sonal password;
(2) from there, they could log on to the database of the
Columbia Ultimate Business System (CUBS), which operated
on a Unix platform, as opposed to Windows. To work on the
database, BACS employees had individual user names (which
were also tied to user numbers) and selected their own pass-
words;
(3) certain employees could also sign in to the Collector
System, through distinct passwords that were assigned to each
of them and based on their Social Security numbers. These
passwords were archived in a separate file readable by only
certain higher-level employees.
These user names and passwords were not tied to each
other, or to any given machine. So, for example, a person who
knew all the relevant names and passwords could log in as
one employee for the BACS Windows network, and then log
in as another employee for the CUBS Universe database, and
then sign in to the Collector System using another employee’s
UNITED STATES v. SHEA                        8297
password. The defense highlighted that any user could switch
Unix identities in the CUBS database (the second level) with
the right passwords, and that certain employees had “root”
access or “super user” access that gave them permission to
access any part of the system, though a password would still
be necessary to enter the Collector System. Shea had root and
super user access and could also access the list of employee
passwords for the Collector System.
The following timeline could be constructed from the testi-
mony at trial:
On December 9, 2002, at 6:53 p.m., a person logged on to
the BACS network using Shea’s Windows user name at a
computer in Shea’s office. A person at the same time logged
on to the CUBS database under the Unix user name assigned
to “LIB2002.” This account had been created during the sys-
tem conversion to the latest release of CUBS — the job for
which Shea was initially hired. This Unix user accessed the
Collector-Summary-II source code and edited one line of the
code to execute CLEAR.CF.MARKS.
On December 27, 2002, at 10 a.m., BACS CEO Michael
Priest called Shea into his office to discuss his work habits,
which were “below acceptable,” according to Shea’s supervi-
sor. At 2:23 p.m. that day, the Collector System logs indi-
cated that user SHEAB edited the source code of
CLEAR.CF.MARKS to change the trigger date from January
22 to January 15, 2003.1
1
There are two types of code involved in this case. “Source code” is
essentially a set of directions that a programmer writes in text form. When
the source code is complete, the programmer runs the code through a
“compiler” that produces “object code” in a language that only the com-
puter can read. See Microsoft Corp. v. AT&T Corp., 

, 1754
n.8 (April 30, 2007) (“Software in the form in which it is written and
understood by humans is called source code. To be functional, however,
software must be converted (or compiled) into its machine-useable ver-
8298                    UNITED STATES v. SHEA
On January 6, 2003, Shea’s supervisor, CIO William Stam-
baugh informed Shea that he would have to submit to a “per-
formance plan,” which dictated that he check in by phone
when he planned to be absent. The next day, January 7, at
7:27 a.m., Unix user 412, an identity tied to Shea, compiled
the source code of CLEAR.CF.MARKS into object code.
This date and time is the last recorded access to the
CLEAR.CF.MARKS object code. Therefore, further alter-
ations to the source code would not have affected the program
that eventually ran on January 29.2
On January 9, at 11:36 a.m., user SHEAB accessed the
source code, but BACS’s logs do not show that any modifica-
tions were made. The logs also show that the user entered a
code to delete any record of commands entered by SHEAB.
This user also entered a “clear screen” command several
times, to move all text off the screen. Clearing the screen
would have prevented anyone from observing the commands
that were being typed. This user also entered a “WHO” com-
mand to confirm which user identity would be tied to the
commands in the company’s logs.
On January 15, CLEAR.CF.MARKS would have run based
on the source code changes made in December, but it did not
sion, a sequence of binary number instructions typed object code.” (inter-
nal citation and quotations omitted)). See also Blueport Co., LLP v. United
States, 02-1622 C, ___ Fed.Cl. ___, 

at *31 n.11 (Fed.
Cl. May 7, 2007).
The government witnesses analogized this distinction in two ways:
First, the source code as the recipe for a pie, and the object code as the
actual pie. Second, the source code can be seen as the design for an assem-
bly line, and the object code as the assembly line itself. On the BACS sys-
tem, source code was stored in one file directory, and object code was
stored in another. This distinction helped BACS and Columbia Ultimate
determine which file had been edited by looking at the directory marker.
2
The pie was baking in the oven, to continue the metaphor. Alterna-
tively, the time bomb fuse had been lit, in the government’s phrasing.
UNITED STATES v. SHEA                 8299
— suggesting changes to the date had been made at some
other time prior to January 7, when the source code was com-
piled into object code. The government offered evidence that
the final source code had a trigger date of January 29. This
date was written in a computer programming language called
“Pick,” which Shea, but few others in the company, knew.
On January 16, “SHEAB” again accessed the program but
the log reflected no modification. The next day, a Friday,
Shea did not show up for work, and Stambaugh decided to
terminate him. Shea was apprised of his termination at the
office on Monday, January 20. CLEAR.CF.MARKS allegedly
triggered early in the morning January 30.
[3] Viewing the evidence in the light most favorable to the
prosecution, with all reasonable inferences that can be drawn
from the record, we hold that a rational juror could have
found Shea guilty. His access to the relevant files is undis-
puted. His ability to program in the Unix database and in the
Collector System files is undisputed and appears to have been
unique among BACS employees. His antagonistic relation-
ship with BACS executives provided him with a motive, and
the timing of certain edits corresponds with the meetings and
e-mails that preceded his termination.
Shea argues that there is no evidence that he compiled the
source code a second time, after January 7, to change the trig-
ger date from January 15 to January 29. The government,
however, offered evidence that the final version of the source
code did contain the date of January 29. Drawing reasonable
inferences from the record, this edit must have occurred
before January 7, otherwise the “time bomb” would have
gone off on January 15, and it did not. Though the govern-
ment did not offer any evidence of this second change, the cir-
cumstantial evidence that the change occurred is sufficient to
sustain the conviction on appeal.
[4] Shea also argues that several other BACS employees
had access to his computer or could have logged on as him
8300                 UNITED STATES v. SHEA
remotely. He presented evidence to the jury that another
BACS employee was logged in from Shea’s desktop com-
puter at all the relevant times. However, given Shea’s level of
access, which included access to the Unix names and pass-
words of all other BACS employees, and given Shea’s ten-
dency to open multiple sessions at once from his computer,
operating from both his laptop and desktop computers, a juror
could reasonably infer that Shea had logged in as the other
employee during all the relevant times. Because the prosecu-
tion “need not affirmatively rule out every hypothesis except
that of guilt,” Wright v. West, 

, 296 (1992) (inter-
nal quotation marks omitted), we find that reasonable infer-
ences from this record support Shea’s conviction.
III.   Variance Between Indictment and Evidence
Shea makes a more specific sufficiency claim that he com-
mitted no act on January 29, the date identified in the sole
count of the final indictment. Shea argues that the only prov-
able act — compiling the code on January 7 — constituted
mere preparation that was not directly tied to the ultimate
damage caused by CLEAR.CF.MARKS. We find these argu-
ments unpersuasive.
[5] Neither the language of the indictment, nor 18 U.S.C.
§ 1030(a)(5)(A)(i), required the government to prove that
Shea committed any act on January 29. Section
1030(a)(5)(A)(i) requires proof that a defendant “knowingly
causes the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally
causes damage without authorization, to a protected comput-
er.” The government’s proof that Shea knowingly added
instructions to the company’s programs at some date in Janu-
ary to cause the CLEAR.CF.MARKS routine to run on or
about January 29, 2003, was sufficient. Accordingly, we hold
that there was no variance between the indictment and evi-
dence adduced at trial.
UNITED STATES v. SHEA                  8301
Moreover, even if Shea could establish a variance between
the charges set forth in his indictment and the evidence
adduced at trial, we would reach the same result. Where, as
here, the date is not a material element of the offense, any
variance between the date charged in the indictment and proof
of the date at trial is harmless error if it does not affect the
defendant’s substantial rights. See United States v. Tsinhnahi-
jinnie, 

, 991 (9th Cir. 1997). Specifically, the
variance must not be “ ‘of a character which could have mis-
led the defendant at the trial’ ” and must not present a danger
of double jeopardy. 

v. United States, 

, 83 (1935)).
A variance typically is immaterial if the government has
proven that the criminal act occurred on a date “reasonably
near” the date cited in the indictment. See United States v.
Hinton, 

, 672-73 (9th Cir. 2000) (eighteen days);
United States v. Baker, 

, 1419 (9th Cir. 1993)
(two months), overruled on other grounds by United States v.
Nordby, 

(9th Cir. 2000); Lelles v. United
States, 

, 25 (9th Cir. 1957) (nineteen days). But
see 

(two years); United
States v. Casterline, 

, 78-79 (9th Cir. 1996) (seven
months).
[6] Here, the prosecution offered proof of the defendant’s
actions on six dates between December 9, 2002, and January
16, 2003, with the final damage occurring on January 29,
2003. Because he went to trial assuming seven counts relating
to each of those dates, Shea was clearly not prejudiced by the
consolidation into one count relating to one date. The indict-
ment, despite its many amendments, “sufficiently notif[ied]
the defendant of the charges against him and enable[d] him to
prepare a defense.” United States v. Laykin, 

,
1542 (9th Cir. 1989). Therefore, we reject Shea’s argument
based on this discrepancy.
8302                 UNITED STATES v. SHEA
IV.   Request for New Counsel
Shea argues he was entitled to new counsel because his trial
counsel failed to elicit certain testimony about his program-
ming skills, the possibility that other people may have figured
out how to program in the required languages, and his ability
to delete all the records if he had wanted to. When the district
court denied Shea’s request, it observed that many of his
points had been brought out on cross examination, that trial
counsel was entitled to make strategy decisions, and that Shea
appeared to get along with this attorney. We review this deci-
sion for abuse of discretion. United States v. George, 

, 1438 (9th Cir. 1996).
[7] Our review considers three factors: (1) the timeliness of
the motion; (2) the adequacy of the court’s inquiry into the
defendant’s complaint; and (3) whether the conflict between
the defendant and his attorney was so great that it resulted in
a total lack of communication preventing an adequate legal
defense. 

these factors, we find that little weighs in
Shea’s favor. He made this motion midtrial, was granted con-
siderable time to explain his problems with his counsel, and
clearly had discussed these issues with his attorney. See 

decision not to present a defense was tactical
and within her discretion. See United States v. Appoloney, 

, 525 (9th Cir. 1985). Therefore, we hold that the dis-
trict court did not abuse its discretion in denying Shea’s
motion.
V.   Conclusion
We hold that the evidence was sufficient to support Shea’s
conviction, that any variance between the date in the indict-
ment and the date of Shea’s acts was immaterial, and that the
district court’s refusal to appoint new counsel was appropri-
UNITED STATES v. SHEA   8303
ate. Therefore, the conviction is
AFFIRMED.