United States v. Phillips

The Cyber Blog IndiaCase Summary

Applicability of the Mandatory Restitution to Victims Act (MVRA) in a case involving CFAA violations

United States v. Phillips
477 F.3d 215
In the United States Court of Appeals for the Fifth Circuit
Case Number 05-51271
Before Chief Judge Jones, Circuit Judge Smith, and Circuit Judge Stewart
Decided on January 24, 2007

Relevancy of the Case: Applicability of the Mandatory Restitution to Victims Act (MVRA) in a case involving CFAA violations

Statutes and Provisions Involved

  • The Computer Fraud and Abuse Act, 18 U.S.C. § 1030
  • The Mandatory Restitution to Victims Act, 18 U.S.C. § 3663A

Relevant Facts of the Case

  • The defendant was a student at the University of Texas (UT). He signed UT’s acceptable use computer policy. This policy prohibited port scanning using a university computer account.
  • Nevertheless, he started using various programs to scan computer networks and steal encrypted data and passwords.
  • He amassed massive amounts of information by stealing and cataloguing personal and proprietary information. He used a program to hack into one of UT’s databases. He gained access to data of more than 45,000 current and prospective students, donors, and alumni.
  • His actions also hurt the UT system, causing it to crash multiple times. UT had to spend a lot of money assessing the damage and notifying the victims.
  • A jury trial indicted, convicted, and sentenced him to five years probation, community service, and restitution of $170,056. He has appealed against this conviction.

Prominent Arguments by the Counsels

  • The defendant-appellant’s counsel argued that the prosecution failed to produce sufficient evidence at trial to support his conviction. He alleged that the prosecution failed to prove that he had intentionally gained access without authorisation. CFAA provides for punishment for knowingly transmitting a program. However, the jury indicted him for intentionally accessing a protected computer.
  • Further, the counsel submitted that the District Court’s restitution order was erroneous. MRVA only provides restitution to the direct victims of a perpetrator’s conduct. Here, the amount also included the costs paid by UT for contacting the victims.

Opinion of the Bench

  • The defendant’s activities were not a part of the intended usage of the website. He did not have the required authorisation to access the database. Hence, there is sufficient evidence on record.
  • Without accessing a protected computer, he could not have transmitted the program and hacked into UT’s database. Hence, any arguments about indictment charges are immaterial.
  • MRVA authorises restitution of expenses incurred during participation in investigation or prosecution. UT was a victim and had incurred costs due to the defendant’s actions.

Final Decision

  • The Court of Appeals affirmed the conviction and sentence.

Anjali Agrawal, an undergraduate student at the NALSAR University of Law, prepared this case summary during her internship with The Cyber Blog India in May/June 2022.