USA v. JohnstonRESPONSES.D.N.Y.June 26, 2015UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK UNITED STATES OF AMERICA, Plaintiff, v. BRENDAN JOHNSTON, Defendant. 14-CR-404-JMF DEFENDANT BRENDAN JOHNSTON’S RESPONSE TO THE GOVERNMENT’S SENTENCING MEMORANDUM June 15, 2015 Michael Zweiback Admitted Pro Hac Vice Arent Fox LLP 555 West Fifth Street, 48th Floor Los Angeles, CA 90013-1065 213.629.7400 Attorneys for Defendant Brendan Johnston Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 1 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 2 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 3 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 4 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 5 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 6 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 7 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 8 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 9 of 27 U.S. Department of Justice United States Attorney Southern District of New York The Silvio J. Mollo Building One Saint Andrew’s Plaza New York, New York 10007 April 6, 2015 BY ELECTRONIC MAIL The Honorable Valerie E. Caproni United States District Judge Southern District of New York Thurgood Marshall United States Courthouse 40 Foley Square New York, New York 10007 Re: United States v. Marlen Rappa, 14 Cr. 544 (VEC) Dear Judge Caproni: The Government respectfully writes in advance of the sentencing scheduled in the above-referenced case for April 13, 2015, and in response to the defendant’s supplemental sentencing memorandum dated April 1, 2015 (“Def. Supp. Mem.”). At the proceeding on March 13, 2015, the Court indicated that it saw “clear grounds for an upward departure,” pursuant to Application Note 20(A)(ii) to Section 2B1.1 of the United States Sentencing Guidelines (“Guidelines” or “U.S.S.G.”), based on the substantial invasions of privacy in this case. (3/13/15 Sent. Tr. 4). As the Government noted at the March 13 proceeding, the stipulated Guidelines range in the parties’ plea agreement did not include the upward departure now contemplated by the Court. Accordingly, the Government does not advocate for such a departure in this case. Nevertheless, the Government submits this letter to address some of the issues raised in the defendant’s supplemental submission. The defendant urges the Court not to upwardly depart under Application Note 20(A)(ii), or vary upward under 18 U.S.C. § 3553(a), on the grounds that the Guidelines already account for the defendant’s invasion of his victims’ privacy through (1) the two-level enhancement for a Section 1030 offense involving “intent to obtain personal information,” see U.S.S.G. § 2B1.1(b)(17)(A); and (2) the four-level enhancement because there were between 50 and 250 victims, see id. § 2B1.1(b)(2)(B). (Def. Supp. Mem. 2-6). Application of these two Case 1:14-cr-00544-VEC Document 43 Filed 04/06/15 Page 1 of 5Case 1:14-cr-0 40 -JMF Document 32 Filed 06/26/15 Page 10 27 Hon. Valerie E. Caproni April 6, 2015 Page 2 of 5 enhancements under U.S.S.G. § 2B1.1, however, does not necessarily preclude an upward departure under Application Note 20(A)(ii).1 While it is true that the Sentencing Commission added the two-level enhancement under § 2B1.1(b)(17)(A) specifically “to account for harm resulting from computer offenses that compromise personal information,” U.S. Sentencing Comm’n, Report to the Congress: Increased Penalties for Cyber Security Offenses (May 2003) (“May 2003 Report”) at 11, the Sentencing Commission did not simultaneously “narrow[] the scope of Application Note 20,” as the defendant asserts. (Def. Supp. Mem. 4). The defendant points to language added by the Sentencing Commission to Application Note 20 stating that an upward departure is warranted for a Section 1030 offense where “death resulted.” The Sentencing Commission made clear, however, that the addition of this language was intended to “expand[] the upward departure provision in § 2B1.1 addressing substantial non-monetary harms to account for violations of 18 U.S.C. § 1030 that result in death.” (May 2003 Report at 5 (emphasis added)). Moreover, the Sentencing Commission reiterated that the “list of factors a court may consider in determining whether an upward departure would be warranted” in Application Note 20 was “non-exhaustive.” (Id.). Thus, the Sentencing Commission’s addition of the two-level enhancement under § 2B1.1(b)(17)(A) simply did not work to preclude the availability of an upward departure under Application Note 20 in cases involving “a substantial invasion of a privacy interest.” U.S.S.G. § 2B1.1, cmt. n. 20(A)(ii) (2014). Likewise, application of the victim enhancement under § 2B1.1(b)(2)(B) does not limit the availability of an upward departure under Application Note 20(A)(ii).2 While this enhancement captures, to a 1 The Government does not understand the defendant to argue that application of the victim and “personal information” enhancements under § 2B1.1 in any way prevents the Court from considering an upward variance under Section 3553(a). 2 Although the defendant stipulated in the plea agreement to a four-level enhancement based on the number of victims, he now questions the “technical” applicability of that enhancement because “there was no ‘actual loss determined under subsection (b)(1).’” (Def. Supp. Mem. 5). The Government disagrees. As an initial matter, the “court is not required to calculate the amount of loss with certainty or precision but ‘need only make a reasonable estimate of the loss’ that is ‘based on available information.’” United States v. Norman, 776 F.3d 67, 79 (2d Cir. 2015) (quoting U.S.S.G. § 2B1.1 cmt. n.3(C)). Here, the trove of data that the defendant stole from his victims’ compromised computers, including pornography that victims obtained on the Internet, had at least some nominal market value. See U.S.S.G. § 2B1.1, cmt. n.3(C)(i) (stating that in calculating loss, the court should consider the “fair market value of the property unlawfully taken, copied, or destroyed” (emphasis added)). Further, it is undisputed that installation of the Blackshades malware compromised the integrity of victims’ computers, thus necessitating at least some remedial measures that would have imposed losses on victims in terms of repair costs and/or lost computer system time. See U.S.S.G. § 2B1.1, cmt. n.3(A)(v)(III). Accordingly, even if the victim’s nominal losses combined did not exceed the $5,000 threshold so as to trigger a loss enhancement under § 2B1.1(b)(1), the actual pecuniary losses to the victims nevertheless qualify them to be counted under § 2B1.1(b)(2). In any event, the defendant does not challenge the application of the victim enhancement in this case, Case 1:14-cr-00544-VEC Document 43 Filed 04/06/15 Page 2 of 5Case 1:14-cr-0 40 -JMF Document 32 Filed 06/26/15 Page 11 27 Hon. Valerie E. Caproni April 6, 2015 Page 3 of 5 certain extent, the scope of the defendant’s offense based on the numerical quantity of victims, it certainly does not account for the nature and severity of the harm that each victim suffered. Thus, while the Government is not advocating for an upward departure pursuant to Application Note 20, such a departure could be applied by the Court based on substantial non-monetary harm under the Guidelines notwithstanding the other enhancements to which the parties stipulated in the plea agreement. Moreover, the Court can and should consider the defendant’s egregious and repeated invasions of his victims’ privacy in its assessment of the factors set forth in 18 U.S.C. § 3553(a), particularly the nature, circumstances, and seriousness of the offense. In urging leniency under 18 U.S.C. § 3553(a), the defendant also argues that his case more resembles that of Juan Sanchez, a Blackshades customer who pled guilty to a misdemeanor Section 1030(a)(2)(C) offense and was sentenced to one year of probation, than that of Kyle Fedorek, a Blackshades customer who stole victims’ financial account user credentials and was sentenced to 24 months’ imprisonment. To be sure, there are differences between the defendant’s and Fedorek’s cases, including that: (1) Fedorek pled guilty to a Section 1030(a)(5)(A) offense, which triggered a four-level enhancement, see U.S.S.G. § 2B1.1(b)(18)(A)(ii), that does not apply here; (2) Fedorek infected over 400 victims’ computers, from which he obtained approximately 90 unauthorized access devices (in the form of financial account user credentials), resulting in a “loss” under § 2B1.1 of $45,000; and (3) Fedorek was in Criminal History Category II based on two earlier DWI convictions, and had been charged and intended to plead guilty to a marijuana trafficking offense in New Jersey. The defendant fails to acknowledge, however, the substantial similarity in the core harm caused his and Fedorek’s computer hacking – namely, invasion of privacy – which was the primary driver of Fedorek’s sentence. Indeed, in sentencing Fedorek to a below- Guidelines term of 24 months’ imprisonment, Judge Vernon S. Broderick discounted the financial aspects of Fedorek’s crime (see, e.g., Fedorek Tr. 34-35 (stating that the Guidelines calculation “overstates the seriousness of the offense” given that “there is no evidence that Mr. Fedorek used any device and there’s no evidence that there was an actual financial loss by any of the victims”)), and instead emphasized Fedorek’s invasion of his victims’ privacy (see id. at 34 (“There’s still no escaping that the defendant stole and invaded the privacy of his victims. In many ways, computers have replaced photo albums, phone directories, and diaries . . . . So, in many ways, it was as if the defendant literally entered the homes of these victims and stole their valuables.”). Furthermore, Judge Broderick’s sentence took into account Fedorek’s mitigating mental health circumstances, including depression, which resemble those cited by the defendant in urging leniency here. (See id. at 31 (“I do believe that Mr. Fedorek’s health issues that began when he was age 16, combined with the apparent impact those issues had on him, warrant consideration as part of his sentence.”)). affirming that he “abides by the terms of the plea agreement and the stipulation of the Guidelines range.” (Def. Supp. Mem. 6 n.2). Case 1:14-cr-00544-VEC Document 43 Filed 04/06/15 Page 3 of 5Case 1:14-cr-0 40 -JMF Document 32 Filed 06/26/15 Page 12 27 Hon. Valerie E. Caproni April 6, 2015 Page 4 of 5 Moreover, the circumstances of the defendant’s offense and mental health issues are easily distinguishable from those of Sanchez. A search of Sanchez’s computer revealed that he had attempted to use the Blackshades keylogger on approximately 90 computers – mostly to obtain random information rather than specific user credentials, like Fedorek – which triggered a four-level victim enhancement under § 2B1.1(b)(2)(B). Yet it appeared that Sanchez had downloaded files, including photographs, from only seven victims’ computers – substantially fewer than in this case. Further, the initial and primary target of Sanchez’s hacking attempts was his ex-girlfriend, who told the agents that she was not particularly disturbed by the intrusion under the circumstances. Sanchez also suffered from more extreme and long-lasting mental health issues and, unlike the defendant, had actually sought mental health treatment over one year prior to his arrest for using Blackshades. Indeed, at sentencing, Magistrate Judge James C. Francis IV commented that Sanchez’s case was “a unique one,” and that the offense “appears to have been a consequence of computer addiction, . . . which was itself symptomatic of the defendant’s other mental and emotional issues, and certainly, it does not appear that the hacking involved here was malicious.” (Sanchez Tr. 6). Accordingly, the defendant’s attempt to equate his case to that of Sanchez, rather than Fedorek, is unavailing. The defendant argues that this case is distinguishable from those where sentences exceeding one year of imprisonment were imposed based on the perceived need to protect the public from the defendants, see, e.g., United States v. Reithmeyer, 426 F. Supp. 2d 893 (E.D. Ark. 2006); United States v. Hugh, 533 F.3d 910 (8th Cir. 2008), and cases involving violations of New York State’s unlawful surveillance law where indeterminate sentences of one to three years’ imprisonment were imposed, see, e.g., People v. Piznarski, 113 A.D.3d 166 (3d Dep’t 2013); People v. Stearns, 39 A.D.3d 973 (3d Dep’t 2007); People v. Church, 31 A.D.3d 892 (3d Dep’t 2006); People v. Evans, 27 A.D.3d 905 (3rd Dep’t 2006). (Def. Supp. Mem. 13-16). To be sure, in light of the history and characteristics of the defendant, the need for specific deterrence in this case is not as substantial a factor as in Reithmeyer or Hugh. But the need for general deterrence to prevent others from committing similar computer hacking offenses is stronger here than in those cases, which involved more aberrational, even bizarre, conduct by the defendants that others were unlikely to repeat. Furthermore, while some of the state unlawful surveillance cases involved aggravating circumstances, such as the abuse of positions of trust or previous similar conduct by the defendants, these factors do not substantially differentiate the core harm – namely, invasion of privacy – caused by the defendants in those cases from that of the defendant here.3 Indeed, the defendant’s conduct in this case, particularly his manipulation of numerous victims’ webcams to photograph them while disrobed or engaged in sexual acts, was in many ways more egregious than the defendants’ conduct in those cases, all of which involved ten or fewer victims. Thus, a sentence within the applicable Guidelines range of 6 to 12 months’ imprisonment in this case certainly would not create an unwarranted sentencing disparity with the cases that the defendant attempts to distinguish. 3 The Government acknowledges, of course, that unlike in Piznarski¸ there is no evidence that the defendant used any of the material he stole from his victims to harass or extort them. Case 1:14-cr-00544-VEC Document 43 Filed 04/06/15 Page 4 of 5Case 1:14-cr-0 40 -JMF Document 32 Filed 06/26/15 Page 13 27 Hon. Valerie E. Caproni April 6, 2015 Page 5 of 5 Finally, to the extent the defendant argues for a sentence of probation because he is a first-time offender who did not commit a “serious crime” (Def. Supp. Mem. at 19-20), he is plainly mistaken. Although the defendant states that he “deeply regrets his actions, is ashamed and full of remorse” (Id. at 18), his failure to acknowledge the extremely serious nature of his computer-hacking offense is troubling. Indeed, it is difficult to imagine a more serious violation of a computer user’s privacy than that committed by the defendant over and over again in this case. A substantial sentence that sufficiently reflects the seriousness of this harm is, therefore, clearly warranted. For the foregoing reasons, and the reasons set forth in our initial sentencing submission, the Government respectfully submits that the defendant’s egregious and repeated invasions of his victims’ privacy, when considered in conjunction with all of the factors under 18 U.S.C. § 3553(a), supports the imposition of a Guidelines sentence in this case. Respectfully submitted, PREET BHARARA United States Attorney By: ________________________________ Daniel S. Noble Assistant United States Attorney (212) 637-2239 Enclosures cc: Justine Harris, Esq. (via electronic mail) Attorney for Marlen Rappa Case 1:14-cr-00544-VEC Document 43 Filed 04/06/15 Page 5 of 5Case 1:14-cr-0 40 -JMF Document 32 Filed 06/26/15 Page 14 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 15 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 16 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 17 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 18 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 19 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 20 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 21 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 22 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 23 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 24 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 25 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 26 of 27 Case 1:14-cr-00404-JMF Document 32 Filed 06/26/15 Page 27 of 27