United States v. Morris, 928 F.2d 504 (2d Cir. 1991) (full-text).
Morris created an Internet program known as a "worm," which spread to computers across the country and caused damage. To enable the worm to spread, Morris exploited vulnerabilities in two processes he was authorized to use: "sendmail" (an e-mail program) and "finger" (a program used to find out certain information about the users of other computers on the network).
Morris was convicted under a previous version of Section 1030(a)(5) of the Computer Fraud and Abuse Act (CFAA), which punished "intentionally accessing" a Federal interest computer without authorization," despite the fact that Morris had limited authorization to use the system.
Appellate Court Proceedings
On appeal, Morris argued that because he had authorization to engage in certain activities, such as sending electronic mail, on some university computers, he had merely exceeded authorized access, rather than having gained unauthorized access.
The Second Circuit rejected Morris' argument on three grounds. First, it held that the fact that the defendant had authorization to use certain computers on a network did not insulate his behavior when he gained access to other computers that were beyond his authorization. "Congress did not intend an individual's authorized access to one federal interest computer to protect him from prosecution, no matter what other federal interest computers he accesses." Rather, "Congress contemplated that individuals with access to some federal interest computers would be subject to liability under the computer fraud provisions for gaining unauthorized access to other federal interest computers."
Second, the court held that although Morris may have been authorized to use certain generally available functions—such as the e-mail or user query services—on the systems victimized by the "worm," he misused that access in such a way to support a finding that his access was unauthorized. The court wrote that:
- Morris did not use either of those features in any way related to their intended function. He did not send or read mail nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.
Finally, the court held that even assuming the defendant's initial insertion of the worm simply exceeded his authorized access, evidence demonstrated that the worm was designed to spread to other computers and gain access to those computers without authorization by guessing their passwords.