United States v. Favio Gasperini: The Click-fraud Botnet Case

The court rejected the challenge to the authentication of Internet Archive screenshots of websites registered to defendant for use in the click fraud scheme.

In this case, The court rejected defendant’s challenge to the authentication of screenshots of websites registered to defendant for use in the click fraud scheme, which were captured and stored by the Internet Archive, and maintained as business records of that entity. - Domingo J. Rivera

894 F.3d 482

MUNITED STATES of America, Appellee, v. Fabio GASPERINI, Defendant-Appellant.

Docket No. 17-2479-cr

United States Court of Appeals, Second Circuit.

Decided: July 2, 2018

ORDER

Fabio Gasperini was convicted by a jury in the United States District Court for the Eastern District of New York (Nicholas G. Garaufis, Judge ) of one count of misdemeanor computer intrusion in violation of 18 U.S.C. § 1030(a)(2)(C), a provision of the Computer Fraud and Abuse Act of 1986 (“CFAA”). Gasperini raises several challenges to his conviction. First, he contends that the statute that he was convicted of violating is unconstitutionally vague. Second, he asserts that the district court erroneously denied his motion to suppress evidence that was allegedly collected in violation of the Stored Communications Act. Third, he contends that the district court abused its discretion in allowing the government to introduce into evidence screenshots from the Internet Archive (also known as the “Wayback Machine”). Gasperini makes several other arguments, which are addressed in an accompanying summary order. Because we are not persuaded by any of Gasperini’s arguments, we AFFIRM the judgment of the district court.

BACKGROUND

The evidence discussed below is taken from the trial record. Insofar as it relates to the offense of conviction, the evidence is viewed in the light most favorable to the government, and we draw all reasonable inferences in its favor. United States v. Guadagna , 183 F.3d 122, 125 (2d Cir. 1999). As it relates to the sentencing issues discussed in the accompanying summary order, “we review the District Court’s factual findings relevant to a sentencing determination for clear error.” United States v. Johnson , 378 F.3d 230, 238 (2d Cir. 2004). In order to vacate such findings, “we must view the evidence in the light most favorable to the government and nevertheless find to be impermissible the factual determinations based upon that favorably-viewed evidence.” Id. In 2014, a virus began infecting QNAP-brand devices.1 Computer security experts who detected the virus determined that the attacker behind the virus was attempting to covertly infiltrate computers. The attacker targeted QNAP computers, which do not log external internet connections, and used an often-overlooked port to access the computers. The virus installed malware, which included several commands for the computer to execute, in hidden directories on the infected computers. Once a computer was infected, the attacker installed a “backdoor” account, which had the status of a “superprivileged user,” with unrestricted access to and control over the computer’s data. After creating the backdoor account, the attacker patched the initial vulnerability that had allowed him access, thereby locking out other hackers. The infected computer was then instructed to scan the internet for other computers with the same vulnerability and infect them. In this way, the attacker created what is known as a “botnet”—a network of infected computers under the attacker’s control. An analysis of one of the servers used in the scheme revealed that more than 155,000 computers were infected worldwide. Many of those computers were located in the United States. The virus’s commands accomplished different tasks. One command was designed to take certain username and password files from the infected computers and copy them onto a server. Another caused the infected computer to disguise itself as a human browsing the internet, and to click on certain banner advertisements. Yet another command prompted the botnet to launch coordinated attacks on certain websites, a practice known as distributed denial-of-service attacks.

United States investigators identified Gasperini, an Italian citizen, as the creator of the virus and perpetrator of the various attacks because he leased and operated several servers around the world that were used to host the malware and communicate with the infected computers. A search of Gasperini’s email account also found a “test” copy of the computer virus that was initially used to infect QNAP computers, and emails from Gasperini expressly referencing several of the scripts installed on the infected computers. Evidence later adduced at trial also linked Gasperini to a related “click fraud” scheme, in which the botnet computers were commanded to click on certain advertisements. Business records showed that several websites implicated in the scheme were registered in Gasperini’s name. Additionally, Gasperini contracted with an Italian advertising company to earn money for each advertisement viewed on these websites. Finally, evidence at trial tended to show that Gasperini monitored the operation. This included emails from his servers reporting “clicks completed” and a photograph of his home computer commanding his botnet to click on an advertising banners. After his arrest in the Netherlands, Gasperini deleted the contents of his Google account, deactivated his Facebook account, and instructed someone to discard the hard drives in his home and erase others.

A grand jury charged Gasperini with felony crimes of computer intrusion with intent to defraud, for financial gain, and in furtherance of criminal acts; wire fraud conspiracy; wire fraud; and money laundering. After a seven-day jury trial, he was acquitted of all felony charges, and was convicted only of misdemeanor computer intrusion in violation of 18 U.S.C. § 1030(a)(2)(C), a lesser-included crime within one of the computer intrusion felonies charged in the indictment.2 At sentencing, the trial judge found that the government had proven, by a preponderance of the evidence, that Gasperini had committed the felony offenses with which he was charged. Accordingly, those crimes were considered as relevant conduct in calculating the applicable Guidelines range, resulting in a range of 63 to 78 months’ incarceration, which was capped by the statutory maximum of imprisonment for one year. The district court sentenced Gasperini principally to that statutory maximum. He now appeals from that conviction.3

DISCUSSION

I. Vagueness The statute under which Gasperini stands convicted punishes anyone who “intentionally accesses a computer without authorization … and thereby obtains … information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). Gasperini argues that the statute is unconstitutionally vague because it does not define the terms “access,” “authorization,” and “information,” and because the definition of “protected computer” in § 1030(e)(2) is overbroad. [894 F.3d 487] Because Gasperini did not raise this challenge below, we review it for plain error. United States v. Boyland , 862 F.3d 279, 288 (2d Cir. 2017), cert. denied , ––– U.S. ––––, 138 S.Ct. 938, 200 L.Ed.2d 212 (2018). When reviewing for plain error under Federal Rule of Criminal Procedure 52(b), an appellate court has discretion to correct an error not raised at trial only where the appellant demonstrates that “(1) there is an error; (2) the error is clear or obvious …; (3) the error affected the appellant’s substantial rights …; and (4) the error seriously affects the fairness, integrity[,] or public reputation of judicial proceedings.” United States v. Marcus , 560 U.S. 258, 262, 130 S.Ct. 2159, 176 L.Ed.2d 1012 (2010) (internal quotation marks and brackets omitted). Gasperini cannot clear the hurdle set by the second of these requirements. “At a minimum, a court of appeals cannot correct an error pursuant to Rule 52(b) unless the error is clear under current law.” United States v. Olano , 507 U.S. 725, 734, 113 S.Ct. 1770, 123 L.Ed.2d 508 (1993) ; see also Rosales-Mireles v. United States , ––– U.S. ––––, 138 S.Ct. 1897, ––– L.Ed.2d –––– (2018). Gasperini cites no authority from any court—let alone one whose decisions are binding on us—holding, or even suggesting, that § 1030(a)(2)(C) is unconstitutionally vague. Accordingly, we cannot conclude that the district court plainly erred by not sua sponte dismissing the indictment on that ground. In any event, Gasperini has not identified a due process violation here. “A conviction fails to comport with due process if the statute under which it is obtained fails to provide a person of ordinary intelligence fair notice of what is prohibited, or is so standardless that it authorizes or encourages seriously discriminatory enforcement.” United States v. Williams , 553 U.S. 285, 304, 128 S.Ct. 1830, 170 L.Ed.2d 650 (2008). We apply this standard in the context of the facts at issue, because, outside of the First Amendment context, an individual “who engages in some conduct that is clearly proscribed cannot complain of the vagueness of the law as applied to the conduct of others.” Id . Even if we assume, arguendo , that the statute’s application may be unclear in some marginal cases (including some fanciful possibilities conjured in Gasperini’s appellate brief), Gasperini’s conduct falls squarely and unambiguously within the core prohibition of the statute. “Congress enacted the CFAA in 1984 to address ‘computer crime,’ which was then principally understood as ‘hacking’ or trespassing into computer systems or data.” United States v. Valle , 807 F.3d 508, 525 (2d Cir. 2015), citing H.R. Rep. No. 98-894, at 3691–92, 3695–97 (1984), and S. Rep. No. 99-432, at 2480 (1986). In this case, Gasperini was found by the jury to have hacked into thousands of computers without permission, thereby gaining access to all of the information stored on those computers. The jury further found Gasperini guilty of taking information, including usernames and passwords, from at least some of those computers. There is thus no doubt that all of these actions fall within the core meaning of the phrase “accesses a computer without authorization … and thereby obtains … information from [a] protected computer” as the italicized terms are used in § 1030(a)(2)(C).4 Accordingly, [894 F.3d 488]

Gasperini’s challenge to the constitutionality of 18 U.S.C. § 1030(a)(2)(C) fails.

II. Suppression

Gasperini next argues that the district court should have suppressed certain evidence introduced by the government at trial, including (1) evidence obtained pursuant to search warrants issued under the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq ., and (2) evidence obtained during searches of his home in Italy by Italian law enforcement officers pursuant to warrants issued by Italian courts. The district court did not err with respect to either category of evidence. Gasperini first argues that the SCA warrants were extraterritorial warrants not authorized by that Act. He relies on this Court’s decision in Matter of Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp. , 829 F.3d 197 (2d Cir. 2016), vacated as moot sub nom. United States v. Microsoft Corp. , ––– U.S. ––––, 138 S.Ct. 1186, 200 L.Ed.2d 610 (2018), in which we held that the SCA does not apply extraterritorially, and does not authorize the seizure of electronic communications stored on servers located outside of the United States. Id. at 222.5 Even assuming that at least some of the warrants demanded and acquired electronic communications stored abroad,6 and that our ruling in Microsoft —which was vacated as moot by the Supreme Court—correctly states the law, suppression still would not be required, because suppression of evidence is not a remedy available for violation of the SCA. Congress provided a number of specific remedies for such violations; these do not include suppression of evidence in a criminal case. See 18 U.S.C. § 2707(b) (listing “appropriate relief” in a “civil action” as “equitable or declaratory relief,” “damages,” and “a reasonable attorney’s fee and other litigation costs reasonably incurred”); [894 F.3d 489]

18 U.S.C. § 2707(d) (providing for “disciplinary action against the officer or employee” who violated the Act). Moreover, Congress expressly provided that the listed remedies are exclusive , stating in § 2708 that the “remedies and sanctions described in this chapter are the only judicial remedies and sanctions for nonconstitutional violations of this chapter.” (Emphasis added).7 Gasperini does not request any form of relief authorized under the SCA, nor does he argue that any of the purported statutory violations he identifies also violate the Constitution, and we find no basis for any such argument. Accordingly, the district court did not err in denying Gasperini’s motion to suppress the evidence collected pursuant to the SCA warrants.

Gasperini’s challenge to the use of hard drives and documents obtained from Italian law enforcement officials who searched his home fares no better. The searches were conducted pursuant to an Italian warrant, and Gasperini makes no claim that the warrant was issued in violation of Italian law. He argues instead that the Italian officials acted at the behest of American law enforcement agents, thus making them subject to American constitutional requirements for searches. “In order to render foreign law enforcement officials virtual agents of the United States, American officials must play some role in controlling or directing the conduct of the foreign parallel investigation.” United States v. Getto , 729 F.3d 221, 230 (2d Cir. 2013). Beyond alleging that the search was conducted at the request of the U.S. government, however, Gasperini does not argue that Italian officials were controlled by American law enforcement agents. A mere request is not sufficient to show control. See, e.g., id . (“It is not enough that the foreign government undertook its investigation pursuant to an American [Mutual Law Enforcement Assistance Treaty] request.“) There is thus no basis for Gasperini’s efforts to apply to the Italian searches the constitutional standards that would apply to domestic searches conducted by United States officers.

III. The Wayback Machine

Finally, Gasperini challenges an evidentiary ruling made by the district court permitting the government to introduce screenshots of various websites taken by the Internet Archive, more commonly known as the “Wayback Machine.” “A district court judge is in the best position to evaluate the admissibility of offered evidence. For that reason, we will overturn a district court’s ruling on admissibility only if there is a clear showing that the court abused its discretion or acted arbitrarily or irrationally.” United States v. Valdez , 16 F.3d 1324, 1332 (2d Cir. 1994) (internal citation omitted). We detect no such abuse of discretion here. Gasperini challenges the authentication of screenshots of websites registered to Gasperini for use in the click fraud scheme, which were captured and stored by the Internet Archive, and maintained as business records of that entity. Federal Rule of Evidence 901(a) requires that before evidence is admitted, “the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.” That standard was amply met here. [894 F.3d 490]

Gasperini relies on Novak v. Tucows, Inc. , 330 F.App’x 204 (2d Cir. 2009), in which we affirmed a district court decision excluding screenshots from the Archive for lack of authentication. In that non-precedential summary order, however, we held only that the district court did not abuse its discretion in excluding the evidence in a civil trial, where the proponent of the evidence offered no testimony explaining its provenance. Id. at 206, aff’g Novak v. Tucows, Inc. , No. 06-CV-1909, 2007 WL 922306 (E.D.N.Y. Mar. 26, 2007). Here, in contrast, the government presented testimony from the office manager of the Internet Archive, who explained how the Archive captures and preserves evidence of the contents of the internet at a given time. The witness also compared the screenshots sought to be admitted with true and accurate copies of the same websites maintained in the Internet Archive, and testified that the screenshots were authentic and accurate copies of the Archive’s records. Based on this testimony, the district court found that the screenshots had been sufficiently authenticated. The Third Circuit considered the admissibility of Internet Archive records on a similar record in United States v. Bansal , 663 F.3d 634, 667–68 (3d Cir. 2011). In that case, the court found that where a witness testified, from personal knowledge, “about how the Wayback Machine website works and how reliable its contents are,” there was sufficient evidence to authenticate screenshots taken from that website. Id. at 667. We agree with the holding of the court in Bansal , and hold that the testimony presented in this case by the government was “sufficient proof … that a reasonable juror could find in favor of authenticity or identification.” United States v. Tin Yat Chin , 371 F.3d 31, 38 (2d Cir. 2004). Gasperini was free to cross-examine the witness about the nature and reliability of the Archive’s procedures for capturing and cataloguing the contents of the internet at particular times, and the jury was thus enabled to make its own decision about the weight, if any, to be given to the records. Accordingly, a sufficient basis was laid to place the admission of the evidence well within the discretion of the district court, and Gasperini’s challenge therefore fails.

CONCLUSION

For the foregoing reasons, and those set forth in the accompanying summary order, we AFFIRM the judgment of the district court.

Notes: 1 QNAP Incorporated is a company headquartered in Taiwan, with offices and warehouses in California, that manufactures and sells “network attached storages,” which are computers specifically designed for the storage of data. 2 The misdemeanor offense lacks the aggravating purpose element of the felony charged in the indictment. See 18 U.S.C. § 1030(c)(2) (establishing escalating penalties for violations of § 1030(a)(2) under various circumstances). 3 Gasperini has served his sentence and has been deported to Italy. 4 Gasperini’s questioning of the definition of “protected computer” is also meritless. The definition describes a wide range of computers, including ones “used in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2)(B). That standard, a familiar limitation on the reach of any number of federal criminal statutes, has never been found void for vagueness. 5 As we explained in Microsoft , SCA “warrants,” although issued only when the constitutional standards governing conventional search warrants are met, do not authorize agents to enter premises and search for evidence, but rather are served on a third-party holder of electronic communications and demand that the third party turn over the information called for in the warrant. See 829 F.3d at 214 (describing the operation of SCA warrants). In that respect, SCA warrants function analogously to subpoenas. See id . at 226–29 (Lynch, J ., concurring in the judgment). 6 Gasperini asserts that because he lived in Italy, it is “obvious” that his emails and Google Drive files were stored in Google’s foreign servers. Appellant’s Br. at 36. That assertion is far from obvious, however. Prior to our decision in Microsoft , Google appears to have stored user data at locations that bore no relation to the location of the user. See, e.g. , In re Search of Content that is Stored at Premises Controlled By Google , No. 16-MC-80263-LB, 2017 WL 1398279, at *4 (N.D. Cal. Apr. 19, 2017) (“Unlike Microsoft , where storage of information was tethered to a user’s reported location, there is no storage decision here. The process of distributing information is automatic, via an algorithm, and in aid of network efficiency”) (internal citation omitted) (amended and superseded on other grounds by In re Search of Content that is Stored at Premises Controlled by Google, No. 16-MC-80263-LB, 2017 WL 1487625, at *1 (N.D. Cal. Apr. 25, 2017) ); In re Search Warrant No. 16-960-M-01 to Google , 232 F.Supp.3d 708, 712 (E.D. Pa. 2017) (“Google stores user data in various locations, some of which are in the United States and some of which are in countries outside the United States. Some user files may be broken into component parts, and different parts of a single file may be stored in different locations (and, accordingly, different countries) at the same time.“) (internal citations omitted). Gasperini musters no evidence to support his conclusory assertion that in his case, the emails and files obtained from Google had, in fact, been stored abroad. 7 Our reading of the SCA as not requiring or authorizing suppression of evidence for nonconstitutional violations of its provisions is consistent the rulings of our sister circuits that have considered the issue. See , e.g., United States v. Clenney , 631 F.3d 658, 667 (4th Cir. 2011) ; United States v. Guerrero , 768 F.3d 351, 358 (5th Cir. 2014) ; United States v. Smith , 155 F.3d 1051, 1056 (9th Cir. 1998) ; United States v. Perrine , 518 F.3d 1196, 1202 (10th Cir. 2008) ; United States v. Steiger , 318 F.3d 1039, 1049 (11th Cir. 2003).

Did you like it? Why don't you try also...

Judge Orders Fairfax Police To Stop Collecting Data From License Plate Readers

The ruling followed a related finding by the Virginia Supreme Court last year, meaning the case could affect how long Virginia police can keep license plate data. The ruling by Fairfax Circuit Court Judge Robert J. Smith is a victory for privacy rights advocates who argued that the police could track a person's movements by compiling the times and exact locations of a car anytime its plate was captured by a license plate reader

FTC May Hold Zuckerberg Personally Responsible For Facebook Privacy Failures

According to NBC, FTC officials are discussing whether and how to hold Facebook Chief Executive Mark Zuckerberg personally accountable for the company's history of mismanaging users private data. However, NBC said its sources wouldn't elaborate on what measures are specifically under consideration.

Facebook Groups Reselling Fraud Services

The now-removed groups had more than 385,000 members in total and offered a variety of illegal services, from credit card information and identity theft to website hacking and email phishing, according to cybersecurity researchers at Talos, the threat intelligence division for the technology company Cisco.