United States v. Gasperini , 894 F.3d 482 ( 2018 )

17-2479
United States v. Gasperini
UNITED STATES COURT OF APPEALS
FOR THE SECOND CIRCUIT
August Term, 2017
(Argued: June 6, 2018     Decided: July 2, 2018)
Docket No. 17-2479-cr
UNITED STATES OF AMERICA,
Appellee,
— v. —
FABIO GASPERINI,
Defendant-Appellant.
Before:
CABRANES, LYNCH, and CARNEY, Circuit Judges.
__________________
Fabio Gasperini appeals from a judgment, entered after a jury trial in the
United States District Court for the Eastern District of New York (Nicholas G.
Garaufis, Judge), convicting him of misdemeanor computer intrusion in violation
of 18 U.S.C. § 1030(a)(2)(C), and sentencing him to one year in prison. On appeal,
Gasperini argues, among other things, that the computer intrusion statute is
unconstitutionally vague; that the district court erred in denying his motion to
suppress evidence that was seized in purported violation of the Stored
Communications Act; and that the district court abused its discretion in allowing
the government to introduce into evidence screenshots from the Internet Archive.
Because we find these arguments (and, as explained in an accompanying
summary order, all of Gasperini’s other arguments) to be meritless, we AFFIRM
the judgment of the district court.
SARITHA KOMATIREDDY, Assistant United States Attorney (David C.
James, Assistant United States Attorney, on the brief), for Richard
P. Donoghue, United States Attorney for the Eastern District of
New York, New York, NY.
SIMONE BERTOLLINI (Paul F. O’Reilly, on the brief), Law Offices of
Simone Bertollini, New York, NY, for Defendant-Appellant Fabio
Gasperini.
GERARD E. LYNCH, Circuit Judge:
Fabio Gasperini was convicted by a jury in the United States District Court
for the Eastern District of New York (Nicholas G. Garaufis, Judge) of one count of
misdemeanor computer intrusion in violation of 18 U.S.C. § 1030(a)(2)(C), a
provision of the Computer Fraud and Abuse Act of 1986 (“CFAA”). Gasperini
raises several challenges to his conviction. First, he contends that the statute that
he was convicted of violating is unconstitutionally vague. Second, he asserts that
the district court erroneously denied his motion to suppress evidence that was
2
allegedly collected in violation of the Stored Communications Act. Third, he
contends that the district court abused its discretion in allowing the government
to introduce into evidence screenshots from the Internet Archive (also known as
the “Wayback Machine”). Gasperini makes several other arguments, which are
addressed in an accompanying summary order. Because we are not persuaded
by any of Gasperini’s arguments, we AFFIRM the judgment of the district court.
BACKGROUND
The evidence discussed below is taken from the trial record. Insofar as it
relates to the offense of conviction, the evidence is viewed in the light most
favorable to the government, and we draw all reasonable inferences in its favor.
United States v. Guadagna, 

, 125 (2d Cir. 1999). As it relates to the
sentencing issues discussed in the accompanying summary order, “we review
the District Court’s factual findings relevant to a sentencing determination for
clear error.” United States v. Johnson, 

, 238 (2d Cir. 2004). In order to
vacate such findings, “we must view the evidence in the light most favorable to
the government and nevertheless find to be impermissible the factual
determinations based upon that favorably-viewed evidence.” 

2014, a virus began infecting QNAP-brand devices.1 Computer security
experts who detected the virus determined that the attacker behind the virus was
attempting to covertly infiltrate computers. The attacker targeted QNAP
computers, which do not log external internet connections, and used an often-
overlooked port to access the computers. The virus installed malware, which
included several commands for the computer to execute, in hidden directories on
the infected computers. Once a computer was infected, the attacker installed a
“backdoor” account, which had the status of a “superprivileged user,” with
unrestricted access to and control over the computer’s data. After creating the
backdoor account, the attacker patched the initial vulnerability that had allowed
him access, thereby locking out other hackers. The infected computer was then
instructed to scan the internet for other computers with the same vulnerability
and infect them. In this way, the attacker created what is known as a “botnet” – a
network of infected computers under the attacker’s control. An analysis of one of
the servers used in the scheme revealed that more than 155,000 computers were
infected worldwide. Many of those computers were located in the United States.
1
QNAP Incorporated is a company headquartered in Taiwan, with offices and
warehouses in California, that manufactures and sells “network attached
storages,” which are computers specifically designed for the storage of data.
4
The virus’s commands accomplished different tasks. One command was
designed to take certain username and password files from the infected
computers and copy them onto a server. Another caused the infected computer
to disguise itself as a human browsing the internet, and to click on certain banner
advertisements. Yet another command prompted the botnet to launch
coordinated attacks on certain websites, a practice known as distributed denial-
of-service attacks.
United States investigators identified Gasperini, an Italian citizen, as the
creator of the virus and perpetrator of the various attacks because he leased and
operated several servers around the world that were used to host the malware
and communicate with the infected computers. A search of Gasperini’s email
account also found a “test” copy of the computer virus that was initially used to
infect QNAP computers, and emails from Gasperini expressly referencing several
of the scripts installed on the infected computers.
Evidence later adduced at trial also linked Gasperini to a related “click
fraud” scheme, in which the botnet computers were commanded to click on
certain advertisements. Business records showed that several websites implicated
in the scheme were registered in Gasperini’s name. Additionally, Gasperini
5
contracted with an Italian advertising company to earn money for each
advertisement viewed on these websites. Finally, evidence at trial tended to show
that Gasperini monitored the operation. This included emails from his servers
reporting “clicks completed” and a photograph of his home computer
commanding his botnet to click on an advertising banners. After his arrest in the
Netherlands, Gasperini deleted the contents of his Google account, deactivated
his Facebook account, and instructed someone to discard the hard drives in his
home and erase others.
A grand jury charged Gasperini with felony crimes of computer intrusion
with intent to defraud, for financial gain, and in furtherance of criminal acts; wire
fraud conspiracy; wire fraud; and money laundering. After a seven-day jury trial,
he was acquitted of all felony charges, and was convicted only of misdemeanor
computer intrusion in violation of 18 U.S.C. § 1030(a)(2)(C), a lesser-included
crime within one of the computer intrusion felonies charged in the indictment.2
At sentencing, the trial judge found that the government had proven, by a
preponderance of the evidence, that Gasperini had committed the felony offenses
2
The misdemeanor offense lacks the aggravating purpose element of the felony
charged in the indictment. See 18 U.S.C. § 1030(c)(2) (establishing escalating
penalties for violations of § 1030(a)(2) under various circumstances).
6
with which he was charged. Accordingly, those crimes were considered as
relevant conduct in calculating the applicable Guidelines range, resulting in a
range of 63 to 78 months’ incarceration, which was capped by the statutory
maximum of imprisonment for one year. The district court sentenced Gasperini
principally to that statutory maximum. He now appeals from that conviction.3
DISCUSSION
I.       Vagueness
The statute under which Gasperini stands convicted punishes anyone who
“intentionally accesses a computer without authorization . . . and thereby obtains
. . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C).
Gasperini argues that the statute is unconstitutionally vague because it does not
define the terms “access,” “authorization,” and “information,” and because the
definition of “protected computer” in § 1030(e)(2) is overbroad.
Because Gasperini did not raise this challenge below, we review it for plain
error. United States v. Boyland, 

, 288 (2d Cir. 2017), cert. denied, 138 S.
Ct. 938 (2018). When reviewing for plain error under Federal Rule of Criminal
Procedure 52(b), an appellate court has discretion to correct an error not raised at
3
Gasperini has served his sentence and has been deported to Italy.
7
trial only where the appellant demonstrates that “(1) there is an error; (2) the
error is clear or obvious . . . ; (3) the error affected the appellant’s substantial
rights . . . ; and (4) the error seriously affects the fairness, integrity[,] or public
reputation of judicial proceedings.” United States v. Marcus, 

, 262
(2010) (internal quotation marks and brackets omitted).
Gasperini cannot clear the hurdle set by the second of these requirements.
“At a minimum, a court of appeals cannot correct an error pursuant to Rule 52(b)
unless the error is clear under current law.” United States v. Olano, 

,
734 (1993); see also Rosales-Mireles v. United States, 

(2018). Gasperini
cites no authority from any court – let alone one whose decisions are binding on
us – holding, or even suggesting, that § 1030(a)(2)(C) is unconstitutionally vague.
Accordingly, we cannot conclude that the district court plainly erred by not sua
sponte dismissing the indictment on that ground.
In any event, Gasperini has not identified a due process violation here. “A
conviction fails to comport with due process if the statute under which it is
obtained fails to provide a person of ordinary intelligence fair notice of what is
prohibited, or is so standardless that it authorizes or encourages seriously
discriminatory enforcement.” United States v. Williams, 

, 304 (2008).
8
We apply this standard in the context of the facts at issue, because, outside of the
First Amendment context, an individual “who engages in some conduct that is
clearly proscribed cannot complain of the vagueness of the law as applied to the
conduct of others.” 

we assume, arguendo, that the statute’s application may be unclear
in some marginal cases (including some fanciful possibilities conjured in
Gasperini’s appellate brief), Gasperini’s conduct falls squarely and
unambiguously within the core prohibition of the statute. “Congress enacted the
CFAA in 1984 to address ‘computer crime,’ which was then principally
understood as ‘hacking’ or trespassing into computer systems or data.” United
States v. Valle, 

, 525 (2d Cir. 2015), citing H.R. Rep. No. 98-894, at
3691–92, 3695–97 (1984), and S. Rep. No. 99-432, at 2480 (1986). In this case,
Gasperini was found by the jury to have hacked into thousands of computers
without permission, thereby gaining access to all of the information stored on
those computers. The jury further found Gasperini guilty of taking information,
including usernames and passwords, from at least some of those computers.
There is thus no doubt that all of these actions fall within the core meaning of the
phrase “accesses a computer without authorization . . . and thereby obtains . . .
9
information from [a] protected computer” as the italicized terms are used in
§ 1030(a)(2)(C).4 Accordingly, Gasperini’s challenge to the constitutionality of 18
U.S.C. § 1030(a)(2)(C) fails.
II.   Suppression
Gasperini next argues that the district court should have suppressed
certain evidence introduced by the government at trial, including (1) evidence
obtained pursuant to search warrants issued under the Stored Communications
Act (“SCA”), 18 U.S.C. § 2701 et seq., and (2) evidence obtained during searches of
his home in Italy by Italian law enforcement officers pursuant to warrants issued
by Italian courts. The district court did not err with respect to either category of
evidence.
Gasperini first argues that the SCA warrants were extraterritorial warrants
not authorized by that Act. He relies on this Court’s decision in Matter of Warrant
to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 

(2d Cir. 2016), vacated as moot sub nom. United States v. Microsoft Corp., 138
4
Gasperini’s questioning of the definition of “protected computer” is also
meritless. The definition describes a wide range of computers, including ones
“used in or affecting interstate or foreign commerce or communication.” 18
U.S.C. § 1030(e)(2)(B). That standard, a familiar limitation on the reach of any
number of federal criminal statutes, has never been found void for vagueness.

(2018), in which we held that the SCA does not apply extraterritorially,
and does not authorize the seizure of electronic communications stored on
servers located outside of the United States. 

Even assuming that at least some of the warrants demanded and acquired
electronic communications stored abroad,6 and that our ruling in Microsoft –
5
As we explained in Microsoft, SCA “warrants,” although issued only when the
constitutional standards governing conventional search warrants are met, do not
authorize agents to enter premises and search for evidence, but rather are served
on a third-party holder of electronic communications and demand that the third
party turn over the information called for in the warrant. 

(describing the operation of SCA warrants). In that respect, SCA warrants
function analogously to subpoenas. See 

(Lynch, J., concurring in the
judgment).
6
Gasperini asserts that because he lived in Italy, it is “obvious” that his emails
and Google Drive files were stored in Google’s foreign servers. Appellant’s Br. at
36. That assertion is far from obvious, however. Prior to our decision in Microsoft,
Google appears to have stored user data at locations that bore no relation to the
location of the user. See, e.g., In re Search of Content that is Stored at Premises
Controlled By Google, No. 16-MC-80263-LB, 

, at *4 (N.D. Cal. Apr.
19, 2017) (“Unlike Microsoft, where storage of information was tethered to a user's
reported location, there is no storage decision here. The process of distributing
information is automatic, via an algorithm, and in aid of network efficiency”)
(internal citation omitted) (amended and superseded on other grounds by In re Search
of Content that is Stored at Premises Controlled by Google, No. 16-MC-80263-LB, 

, at *1 (N.D. Cal. Apr. 25, 2017); In re Search Warrant No. 16-960-M-01
to Google, 

, 712 (E.D. Pa. 2017) (“Google stores user data in
various locations, some of which are in the United States and some of which are
in countries outside the United States. Some user files may be broken into
component parts, and different parts of a single file may be stored in different
11
which was vacated as moot by the Supreme Court – correctly states the law,
suppression still would not be required, because suppression of evidence is not a
remedy available for violation of the SCA. Congress provided a number of
specific remedies for such violations; these do not include suppression of
evidence in a criminal case. See 18 U.S.C. § 2707(b) (listing “appropriate relief” in
a “civil action” as “equitable or declaratory relief,” “damages,” and “a reasonable
attorney's fee and other litigation costs reasonably incurred”); 18 U.S.C. § 2707(d)
(providing for “disciplinary action against the officer or employee” who violated
the Act). Moreover, Congress expressly provided that the listed remedies are
exclusive, stating in § 2708 that the “remedies and sanctions described in this
chapter are the only judicial remedies and sanctions for nonconstitutional
violations of this chapter.” (Emphasis added).7 Gasperini does not request any
locations (and, accordingly, different countries) at the same time.”) (internal
citations omitted). Gasperini musters no evidence to support his conclusory
assertion that in his case, the emails and files obtained from Google had, in fact,
been stored abroad.
7
Our reading of the SCA as not requiring or authorizing suppression of evidence
for nonconstitutional violations of its provisions is consistent the rulings of our
sister circuits that have considered the issue. See, e.g., United States v. Clenney, 

, 667 (4th Cir. 2011); United States v. Guerrero, 

, 358 (5th Cir.
2014); United States v. Smith, 

, 1056 (9th Cir. 1998); United States v.
Perrine, 

, 1202 (10th Cir. 2008); United States v. Steiger, 

,
1049 (11th Cir. 2003).
12
form of relief authorized under the SCA, nor does he argue that any of the
purported statutory violations he identifies also violate the Constitution, and we
find no basis for any such argument. Accordingly, the district court did not err in
denying Gasperini’s motion to suppress the evidence collected pursuant to the
SCA warrants.
Gasperini’s challenge to the use of hard drives and documents obtained
from Italian law enforcement officials who searched his home fares no better. The
searches were conducted pursuant to an Italian warrant, and Gasperini makes no
claim that the warrant was issued in violation of Italian law. He argues instead
that the Italian officials acted at the behest of American law enforcement agents,
thus making them subject to American constitutional requirements for searches.
“In order to render foreign law enforcement officials virtual agents of the United
States, American officials must play some role in controlling or directing the
conduct of the foreign parallel investigation.” United States v. Getto, 

,
230 (2d Cir. 2013). Beyond alleging that the search was conducted at the request
of the U.S. government, however, Gasperini does not argue that Italian officials
were controlled by American law enforcement agents. A mere request is not
sufficient to show control. See, e.g., 

not enough that the foreign
13
government undertook its investigation pursuant to an American [Mutual Law
Enforcement Assistance Treaty] request.”) There is thus no basis for Gasperini’s
efforts to apply to the Italian searches the constitutional standards that would
apply to domestic searches conducted by United States officers.
III.   The Wayback Machine
Finally, Gasperini challenges an evidentiary ruling made by the district
court permitting the government to introduce screenshots of various websites
taken by the Internet Archive, more commonly known as the “Wayback
Machine.” “A district court judge is in the best position to evaluate the
admissibility of offered evidence. For that reason, we will overturn a district
court’s ruling on admissibility only if there is a clear showing that the court
abused its discretion or acted arbitrarily or irrationally.” United States v. Valdez, 

, 1332 (2d Cir. 1994) (internal citation omitted). We detect no such abuse
of discretion here.
Gasperini challenges the authentication of screenshots of websites
registered to Gasperini for use in the click fraud scheme, which were captured
and stored by the Internet Archive, and maintained as business records of that
entity. Federal Rule of Evidence 901(a) requires that before evidence is admitted,
14
“the proponent must produce evidence sufficient to support a finding that the
item is what the proponent claims it is.” That standard was amply met here.
Gasperini relies on Novak v. Tucows, Inc., 330 F.App’x 204 (2d Cir. 2009), in
which we affirmed a district court decision excluding screenshots from the
Archive for lack of authentication. In that non-precedential summary order,
however, we held only that the district court did not abuse its discretion in
excluding the evidence in a civil trial, where the proponent of the evidence
offered no testimony explaining its provenance. 

aff’g Novak v. Tucows,
Inc., No. 06-CV-1909, 

(E.D.N.Y. Mar. 26, 2007). Here, in contrast,
the government presented testimony from the office manager of the Internet
Archive, who explained how the Archive captures and preserves evidence of the
contents of the internet at a given time. The witness also compared the
screenshots sought to be admitted with true and accurate copies of the same
websites maintained in the Internet Archive, and testified that the screenshots
were authentic and accurate copies of the Archive’s records. Based on this
testimony, the district court found that the screenshots had been sufficiently
authenticated.
15
The Third Circuit considered the admissibility of Internet Archive records
on a similar record in United States v. Bansal, 

, 667–68 (3d Cir. 2011).
In that case, the court found that where a witness testified, from personal
knowledge, “about how the Wayback Machine website works and how reliable
its contents are,” there was sufficient evidence to authenticate screenshots taken
from that website. 

We agree with the holding of the court in Bansal, and
hold that the testimony presented in this case by the government was “sufficient
proof . . . that a reasonable juror could find in favor of authenticity or
identification.” United States v. Tin Yat Chin, 

, 38 (2d Cir. 2004).
Gasperini was free to cross-examine the witness about the nature and reliability
of the Archive’s procedures for capturing and cataloguing the contents of the
internet at particular times, and the jury was thus enabled to make its own
decision about the weight, if any, to be given to the records. Accordingly, a
sufficient basis was laid to place the admission of the evidence well within the
discretion of the district court, and Gasperini’s challenge therefore fails.
CONCLUSION
For the foregoing reasons, and those set forth in the accompanying
summary order, we AFFIRM the judgment of the district court.
16