v.
Commonwealth of Virginia
COURT OF APPEALS OF VIRGINIA
Present: Chief Judge Decker, Judges Humphreys,* Beales, Huff, O’Brien, AtLee, Malveaux, PUBLISHED
Athey, Fulton, Ortiz, Causey, Friedman, Chaney, Raphael, Lorish, Callins and White Argued at Richmond, Virginia
TAYLOR AMIL WALLACE OPINION BY v. Record No. 1040-21-1 JUDGE DANIEL E. ORTIZ JANUARY 23, 2024 COMMONWEALTH OF VIRGINIA
UPON A REHEARING EN BANC
FROM THE CIRCUIT COURT OF THE CITY OF CHESAPEAKE John W. Brown, Judge
Samantha Offutt Thames, Senior Appellate Attorney (Virginia Indigent Defense Commission, on briefs), for appellant.
Stephen J. Sovinsky, Assistant Attorney General (Jason S. Miyares, Attorney General, on brief), for appellee.
A person who uses a computer for a fraudulent purpose does not automatically use it
“without authority” under the computer fraud statute. Under the plain text of Code §§ 18.2-152.2 and -152.3, a defendant commits computer fraud only if they “use[]” a computer without permission or “in a manner knowingly exceeding such right, agreement, or permission,” not every time they use a computer to commit an enumerated crime. Following a bench trial, Taylor Amil Wallace was convicted of computer fraud, obtaining money by false pretenses, uttering forged checks, and failing
to appear in court, after she deposited forged checks in an ATM. On appeal, Wallace challenged the sufficiency of the evidence for each conviction. A three-judge panel found the evidence sufficient
to affirm her convictions on all charges except for four counts of computer fraud. In that regard, the * Judge Humphreys participated in the hearing and decision of this case prior to the effective date of his retirement on December 31, 2023. panel found the evidence insufficient to prove that Wallace used the ATM “without authority,” with
one judge dissenting. Upon the Commonwealth’s petition for a rehearing en banc as to the computer fraud charges, this Court finds en banc that the evidence presented at trial failed to prove that Wallace was “without authority” when she accessed her own bank account via an ATM and deposited the checks.
BACKGROUND
On four different days in December 2018, Wallace used a drive-through ATM at BB&T to deposit four checks into her BB&T bank accounts.[1] The checks were made out from Gregory
Starling’s Southern Bank account to “Taylor A. Wallace.” All four checks were endorsed by
“Taylor Wallace.” Security camera footage shows Wallace driving to the ATM, sometimes with an unidentified male in the front passenger seat, and depositing the checks. Two of the checks were returned to BB&T as forged. The other two were returned because the Southern Bank account was closed. After recouping its losses from Wallace’s bank accounts, BB&T suffered a loss of $937.82. In an interview with police officers in January 2019, Wallace admitted that she was the person depositing the checks and that she did not know Gregory Starling, but she refused to say where she got the checks.
At a bench trial, Wallace testified that she did not steal the checks but received them from her stepfather, Miguel Sumner, who had no bank account and told Wallace that the checks were
his paychecks for his demolition and cleaning work. She testified that Sumner was the unidentified male in the passenger seat and that he did not give her the checks until they were at the ATM. She denied having endorsed the checks, claiming that she never looked at the checks because she trusted Sumner. Wallace’s mother corroborated Wallace’s story, testifying that she dated Sumner during the time Wallace deposited the checks and that Sumner worked in construction.
[*2]Starling testified that he did not write the four checks and that they were probably taken from his work truck around December 7, 2018. He stated that, at the time, he worked at a job site and had hired a man, James Watson, and an all-male team for demolition and cleaning work.
At the trial, BB&T investigator, Kevin Wolfe, testified that the ATM was a “very
sophisticated machine” and had “a number of different functions,” including depositing checks, withdrawing cash, and making balance inquiries. Wolfe stated that an ATM “would be considered a computer.”
Wallace was convicted of four counts of uttering a forged check, four counts of obtaining money by false pretenses, four counts of computer fraud, and one count of felony failure to appear, in violation of Code §§ 18.2-152.3, 18.2-172, 18.2-178, and 19.2-128(B). The trial court
found Wallace not guilty of forgery or identity fraud. See Code §§ 18.2-172, -186.3(A)(2). The trial court sentenced Wallace to 17 years and 96 months of incarceration, with 13 years and 128 months suspended.
On appeal, Wallace challenged the sufficiency of the evidence for her convictions for computer fraud, uttering, obtaining money by false pretenses, and failure to appear. As to the computer fraud charges, a three-judge panel held that the evidence was insufficient to show that
Wallace acted “without authority,” with a single judge in dissent. The panel unanimously upheld her convictions for the other charges. The Commonwealth requested, and this Court granted, a rehearing en banc to reconsider the panel’s holding solely related to the computer fraud convictions. Once again, we hold that the trial court erred in determining that Wallace was
“without authority” when she used the ATM in question to process the four checks.
[*3]Accordingly, we reverse the judgment of the trial court as to Wallace’s convictions for computer fraud.
ANALYSIS
A. Standards of Review
In reviewing the sufficiency of the evidence, we consider the evidence “in the light most favorable to the Commonwealth, the prevailing party below.” Vay v. Commonwealth, 67
Va. App. 236, 242 (2017) (quoting Smallwood v. Commonwealth, 278 Va. 625, 629 (2009)). In doing so, we “discard the evidence of the accused in conflict with that of the Commonwealth, and regard as true all the credible evidence favorable to the Commonwealth and all fair inferences to be drawn therefrom.” Bowman v. Commonwealth, 290 Va. 492, 494 (2015)
(quoting Kelley v. Commonwealth, 289 Va. 463, 467-68 (2015)).
We defer “to the trial court’s findings of fact unless they are plainly wrong or without evidence to support them.” Brewer v. Commonwealth, 71 Va. App. 585, 591 (2020). “The fact finder, who has the opportunity to see and hear the witnesses, has the sole responsibility to determine their credibility, the weight to be given their testimony, and the inferences to be drawn from proven facts.” Commonwealth v. Taylor, 256 Va. 514, 518 (1998). Furthermore, “[t]he judgment of a trial court sitting without a jury is entitled to the same weight as a jury verdict”
when reviewed on appeal. Martin v. Commonwealth, 4 Va. App. 438, 443 (1987). Still, “to the extent that the issue on appeal requires the Court to determine the meaning of a statute and its terms, it reviews that issue de novo.” Brewer, 71 Va. App. at 591.
B. Statutory Interpretation
Wallace challenges her computer fraud convictions under Code § 18.2-152.3. She argues that, first, she did not use the ATM “without authority,” and second, the ATM she used was not a “computer” under the statute. Assuming, without deciding, that the ATM was a computer,2 we find that the trial court misinterpreted Code § 18.2-152.3 in finding that Wallace used the ATM
[*4]“without authority.”
“When construing a statute, our primary objective is ‘to ascertain and give effect to
legislative intent,’ as expressed by the language used in the statute.” Cuccinelli v. Rector, Visitors of the Univ. of Va., 283 Va. 420, 425 (2012) (quoting Commonwealth v. Amerson, 281
Va. 414, 418 (2011)). “When the language of a statute is unambiguous, we are bound by the plain meaning of that language.” Id. (quoting Kozmina v. Commonwealth, 281 Va. 347, 349
(2011)). We “presume that the legislature chose, with care, the words it used when it enacted the relevant statute.” Zinone v. Lee’s Crossing Homeowners Ass’n, 282 Va. 330, 337 (2011)
(quoting Addison v. Jurgelsky, 281 Va. 205, 208 (2011)). In addition, “when the General
Assembly has used specific language in one instance, but omits that language or uses different
language when addressing a similar subject elsewhere in the Code, we must presume that the difference in the choice of language was intentional.” Id. Such omission shows “that the General Assembly ‘knows how’ to include such language in a statute to achieve an intended objective” and unambiguously expressed “a contrary intention.” Morgan v. Commonwealth, 301
Va. 476, 482 (2022) (quoting Brown v. Commonwealth, 284 Va. 538, 545 (2012)). Finally, when a statute is ambiguous, “the rule of lenity [directs] us to adopt a narrow construction, thus reducing exposure to criminal liability.” Fitzgerald v. Loudoun Cnty. Sheriff’s Off., 289 Va. 499, 508 (2015).
[*5]1. The plain language of Code §§ 18.2-152.2 and -152.3 means that a defendant must “use[]” a computer “without authority.”
Under the Virginia Computer Crimes Act (“VCCA”), “[a]ny person who uses a computer or computer network, without authority” and “[o]btains property or services by false pretenses,”
“[e]mbezzles or commits larceny,” or “[c]onverts the property of another” is guilty of computer fraud. Code § 18.2-152.3. Under the VCCA, “[a] person is ‘without authority’ when he knows or reasonably should know that he has no right, agreement, or permission or acts in a manner knowingly exceeding such right, agreement, or permission.” Code § 18.2-152.2.
Preventing unauthorized access to computers is a primary purpose of computer crime laws. The federal government and all fifty states have “enacted computer crime laws that prohibit ‘unauthorized access’ to computers.” Orin S. Kerr, Cybercrime’s Scope: Interpreting
“Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1596
(2003); see also Susan W. Brenner, State Cybercrime Legislation in the United States of America: A Survey, 7 Rich. J.L. & Tech. 28, at 15 n.37 (2001) (listing state computer crime
statutes). In Virginia, the plain language of the VCCA expressly defines “without authority” and includes it as an element of several offenses, including computer fraud. Code §§ 18.2-152.2
to -152.3. The language makes it clear that the computer fraud statute applies only to the unauthorized use of computers and computer networks.[3] Here, both parties agree that, as a bank customer, Wallace had some “right, agreement, or permission” to use the ATM. See Code § 18.2-152.2. At issue is simply whether Wallace
[*6]“act[ed] in a manner knowingly exceeding such right, agreement, or permission.” See id.
Wallace argues that as a BB&T customer, she had the authority to use the ATM for the functions she performed—depositing checks and withdrawing cash. The Commonwealth responds that while Wallace had authority to use the ATM for lawful purposes, Wallace exceeded her authority by depositing forged checks. The question here is whether a person authorized to use a computer necessarily exceeds that authority when they use the computer to obtain money by false pretenses.
In Code § 18.2-152.3, the words “without authority” clearly modify “use[] [of] a computer or computer network,” rather than the criminal purposes of such use, enumerated as
obtaining property or services by false pretenses, embezzlement, larceny, or conversion. Thus, combining Code §§ 18.2-152.2 and -152.3, a computer fraud conviction requires that a defendant either “has no right, agreement, or permission” to use the computer or computer network or uses it “in a manner knowingly exceeding such right, agreement, or permission.” To prove that a
defendant knowingly exceeded their authorization, the Commonwealth must first establish the scope of the defendant’s right, agreement, or permission. The plain text of the statute, which states that a person must act “in a manner knowingly exceeding” their authorization, indicates that the manner of use, rather than the purpose of the use, must be unauthorized. Code
§ 18.2-152.2 (emphasis added). This is distinct from lacking authority to achieve an enumerated
purpose of obtaining property by false pretenses, embezzlement, larceny, or conversion. The structure of the statute, pairing “without authority” with “use,” rather than the enumerated fraud or theft offenses, tells us that simply committing a listed crime—which is never “authorized,” in the broad legal or moral sense—is not enough to be “without authority.” Rather, a person must be “without authority” to use the computer in a certain way.
[*7]2. Reading the computer fraud statute in the context of the criminal code clarifies that a person’s use, not their purpose, must be “without authority.”
A comparison of Code § 18.2-152.3 to Code § 18.2-152.5 also shows that “without
authority” relates to an individual’s “use.” Under Code § 18.2-152.5, “[a] person is guilty of the crime of computer invasion of privacy when he uses a computer or computer network and intentionally examines without authority any employment, salary, credit or any other financial or identifying information . . . relating to any other person.” (Emphasis added). Unlike in the computer fraud statute, here the words “without authority” modify the examination of information, rather than the use of a computer or computer network. For example, in Ramsey v. Commonwealth, 65 Va. App. 694 (2015), a state trooper ran inquiries using the Virginia
Criminal Information Network (“VCIN”) for personal purposes, knowing that she was only authorized to do so for criminal justice purposes. Id. at 695-96. Although she had authority to use the VCIN, this Court upheld her conviction under Code § 18.2-152.5 because she “was without authority to examine the information on VCIN for non-criminal justice purposes.” Id. at
701. The words “without authority” modify different actions in the computer fraud and computer invasion of privacy statutes. Because both sections of the VCCA address the “similar subject” of computer crimes, “we must presume that the difference in the choice of language was intentional.” Zinone, 282 Va. at 337. Thus, we must focus on whether a specific “use” of the computer was authorized or not, irrespective of whether the ultimate purpose was lawful.[4]
[*8]We reject the Commonwealth’s argument that if a defendant uses a computer to deposit forged checks—or for unlawful purposes more generally—their use is per se without authority under the computer fraud statute. This interpretation would render the words “without authority” in Code § 18.2-152.3 surplusage. See Hubbard v. Henrico Ltd. P’ship, 255 Va. 335, 340 (1998)
(“[E]very part of a statute is presumed to have some effect and no part will be considered meaningless unless absolutely necessary.”). In fact, the General Assembly specifically rejected proposals to remove the words from the statute. See, e.g., Va. St. Crime Comm’n, Computer
Crimes Act, Rep. Doc. No. 77, at 10 (2005) (recommending eliminating “without authority” from
Code § 18.2-152.3 because when “a criminal uses a computer to . . . commit a fraud on
another . . . it should not be a possible defense that he had the permission of the owner of the computer to engage in illegal activities”); S.B. 1163 (as introduced, Jan. [12], 2005) (amending
“[a]ny person who uses a computer or computer network without authority and with intent to” to “[a]ny person who, through the use of a computer”). Moreover, unlike computer fraud, other
[*9]computer crimes under the VCCA do not include the “without authority” element. See, e.g., Code § 18.2-152.7:1 (harassment by computer); Code § 18.2-152.5:1 (using a computer to gather identifying information). We again take the legislature at its word and read “without authority” to require more than commission of an enumerated criminal act.
In support of its broad reading, the Commonwealth relies on several prior cases upholding convictions for computer fraud and related crimes, none of which explore the meaning of “without authority.” See Brewer, 71 Va. App. at 591-97; DiMaio v. Commonwealth, 272 Va.
504, 506-08 (2006); Barnes v. Commonwealth, No. 2693-98-1, slip op. at 1-5, 2000 WL 291436, at *1-2 (Va. Ct. App. Mar. 21, 2000). In Brewer, we focused on whether a smartphone
constituted a “computer.” 71 Va. App. at 591. In DiMaio, the appellant challenged only the sufficiency of the evidence regarding the value of data that he removed from a computer. 272
Va. at 506. Finally, Barnes is an unpublished case that does not interpret “without authority.”
Barnes, slip op. at 1-5, 2000 WL 291436, at *1-2 (briefly discussing a sufficiency of the evidence claim under Code § 18.2-152.3). As such, these cases are of little value in determining the meaning of “without authority.” See Jones v. Commonwealth, 293 Va. 29, 50 (2017)
(“[S]tare decisis does not ‘foreclose inquiry’ into an issue not previously ‘raised, discussed, or decided.’” (quoting Chesapeake Hosp. Auth. v. Commonwealth, 262 Va. 551, 560 (2001))).
3. The VCCA definition of “use[]” further clarifies and contextualizes the meaning of “without authority.”
Having established that “without authority” modifies the use of the computer, we must also analyze the meaning of “use[]” under the VCCA—another defined term. The VCCA states that “[a] person ‘uses’ a computer . . . when he attempts to cause or causes a computer . . . to perform or to stop performing computer operations.” Code § 18.2-152.2. This definition is mechanical, focused on the user’s direct interactions with the computer and the effect of those - 10 -
interactions on “computer operations,” separately defined as “arithmetic, logical, monitoring, storage or retrieval functions and any combination thereof, [which] includes, but is not limited to, communication with, storage of data to, or retrieval of data from any device.” Id. The statute also clarifies that computer operations include “any function for which that computer was
generally designed.” Id. Thus, to commit computer fraud, a person must “attempt[] to cause” or actually “cause[] a computer” to perform operations—including, but not limited to “arithmetic, logical, monitoring, storage or retrieval functions”—beyond the scope of the functions they are
allowed to perform. Id. The word “use[]” does not encompass the end goal or purpose of the user, but their specific actions in operating the computer. Those discrete actions must be undertaken “without authority.”
4. This Court’s reading of the VCCA is supported by persuasive authority from other state courts and the United States Supreme Court, interpreting similar statutes.
While not binding on this Court, well-reasoned opinions from other jurisdictions interpreting similar statutes support our conclusion that “without authority” modifies the manner
of use of computers and computer networks, rather than the purpose of the use. For example, in Commonwealth v. Shirley, 653 S.W.3d 571 (Ky. 2022), the Supreme Court of Kentucky reversed a conviction for unlawful access to a computer when the defendant fraudulently placed barcodes from cheap items onto expensive items and then scanned those barcodes at a Walmart self-checkout register. Id. at 572, 577-79. The court reasoned that the Kentucky statute “[did] not refer to whether the individual is accessing a computer to commit fraud but [did] refer to whether the individual [was] accessing a computer in the way consented to by the owner.” Id. at
579. Similarly, in People v. Golb, 15 N.E.3d 805 (N.Y. 2014), the Court of Appeals of New
York vacated a conviction for unauthorized use of a computer when the defendant used a university computer to send emails criminally impersonating others. Id. at 810, 814. The court rejected the prosecution’s argument that “using the computer to commit a crime cannot be an - 11 - authorized use” and found that New York’s computer crime statute was “intended to reach a
person who accesses a computer system without permission (i.e., a hacker).” Id. at 814. Finally, in State v. Nascimento, 379 P.3d 484 (Or. 2016), the Supreme Court of Oregon reversed the defendant’s conviction for computer crimes when she used a lottery terminal to print lottery tickets for herself without paying. Id. at 485-86. The court rejected the “extremely broad definition” that “any time a person uses or accesses a computer for a purpose not permitted by the computer’s owner, the person does so ‘without authorization’ and commits computer crime.”
Id. at 490. The court found that the defendant’s “use of the lottery terminal to print [lottery] tickets—as she was trained and permitted by her employer to do—was ‘authorized’ use,” despite its ultimately criminal purpose. Id. at 491. The purpose of computer crime laws in general, as reflected in these cases, aligns with our analysis of the VCCA’s language.
Finally, in Van Buren v. United States, 141 S. Ct. 1648 (2021), the United States
Supreme Court, interpreting the Federal Computer Fraud and Abuse Act of 1986 (“CFAA”), considered whether a police sergeant violated federal law when, in contravention of department policy, he used a law enforcement license plate database to search for information on an acquaintance’s romantic interest in exchange for $5,000. Id. at 1652-53. The CFAA penalizes
“anyone who ‘intentionally accesses a computer without authorization or exceeds authorized access,’ and thereby obtains computer information.” Id. at 1652 (quoting 18 U.S.C.
§ 1030(a)(2)). Like the VCCA, the CFAA differentiates between those who “intentionally access[] a computer without authorization” and those who “exceed[] authorized access.” See 18
U.S.C. § 1030(a)(2). The CFAA goes a step further, defining “exceeds authorized access” as “to
access a computer with authorization and . . . use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).
Dissecting the plain text, with a focus on the word “so,” the Court held that to violate the law a
- 12 - person must access information “that a person is not entitled to obtain by using a computer that he is authorized to access.” Van Buren, 141 S. Ct. at 1655. The Court concluded that the federal statute did “not cover those who, like Van Buren, have improper motives for obtaining
information that is otherwise available to them.” Id. at 1652. This mirrors our conclusion that, under the VCCA, a defendant authorized to use a computer to perform specific tasks is not
“without authority,” regardless of any “improper motives.”5 See id.
In reaching its conclusion, the Van Buren Court rejected the Government’s position that the CFAA reached any person who was not authorized to obtain information “in the particular manner or circumstances in which he obtained it.” Id. at 1654 (emphasis omitted). This broader approach would have incorporated access limitations from a laundry list of potential external sources, including “the United States Code, a state statute, a private agreement, or anywhere else,” rendering any use of a computer which violated any other legal, moral, or contractual obligation simultaneously a violation of the CFAA. Id. at 1655. Similarly, the Commonwealth’s approach in this case would mean that any action that simultaneously involved the use of a computer and the commission of a listed fraud or theft crime would be per se “without authority,” notwithstanding the General Assembly’s express inclusion of that element in Code
§ 18.2-152.3. Considering the text of the VCCA, we decline to adopt the Commonwealth’s
reading, which renders the phrase “without authority” superfluous. Rather, we interpret the phrase “right, agreement, or permission” in the context of the term “use[],” defined as the mechanical computer operations performed on the computer, not the user’s ultimate ends, The guidelines for filing electronic briefs and appendices can be found at www.courts.state.va.us/online/vaces/resources/guidelines.pdf.
COURT OF APPEALS OF VIRGINIA
Present: Judges Athey, Ortiz and Lorish PUBLISHED
Argued at Norfolk, Virginia
TAYLOR AMIL WALLACE OPINION BY v. Record No. 1040-21-1 JUDGE DANIEL E. ORTIZ FEBRUARY 28, 2023 COMMONWEALTH OF VIRGINIA
FROM THE CIRCUIT COURT OF THE CITY OF CHESAPEAKE John W. Brown, Judge
Samantha Offutt Thames, Senior Assistant Public Defender (Virginia Indigent Defense Commission, on briefs), for appellant.
Stephen J. Sovinsky, Assistant Attorney General (Jason S. Miyares, Attorney General, on brief), for appellee.
A person who uses a computer for a fraudulent purpose does not automatically use it
“without authority” under the computer fraud statute. Following a bench trial, Taylor Amil Wallace
was convicted of computer fraud, obtaining money by false pretenses, uttering forged checks, and failing to appear in court, after she deposited forged checks in an ATM. Wallace challenges the sufficiency of the evidence for each conviction. She argues that the Commonwealth failed to prove that: the ATM is a “computer,” she used the ATM “without authority,” she knew that the checks were forged, and she “willfully” failed to appear in court. We find the evidence insufficient to prove that Wallace used the ATM “without authority” but sufficient to prove the remaining convictions. We affirm in part and reverse in part.
BACKGROUND
In December 2018, Wallace deposited four checks, in the amounts of $440, $324, $450, and $300, into her bank accounts at BB&T, using a drive-through ATM. These checks were deposited on four separate days and were made out from Gregory Starling’s Southern Bank
account to “Taylor A. Wallace.” The first two checks had the word “work” in their memo fields, and the third and fourth checks had the words “cleaning” and “remaining balance,” respectively.
All four checks were endorsed by “Taylor Wallace.” Photos from security cameras show
Wallace driving to the ATM, sometimes with an unidentified male in the front passenger seat, and depositing the checks. Two of the checks were returned to BB&T as forged. The other two
were returned because the Southern Bank account was closed. After using the funds in Wallace’s accounts to make up for the loss, BB&T lost $937.82 in total.
On January 28, 2019, Wallace accepted an interview by Detective Ronald Ward at her mother’s residence. Wallace admitted that she was the person depositing the checks and that she did not know Gregory Starling, but she refused to tell Detective Ward where she got the checks.
After being arrested and granted bail, Wallace signed a continuance order requiring her to appear before the trial court on January 30, 2020. However, she did not appear on January 30. Wallace was charged with four counts of forging a check, four counts of uttering a forged check, four counts of obtaining money by false pretenses, four counts of computer fraud, one count of using
false identification to obtain money, and one count of felony failure to appear, in violation of Code §§ 18.2-152.3, 18.2-172, 18.2-178, 18.2-186.3(A)(2), and 19.2-128(B).
At the bench trial, Wallace testified that she did not steal the checks but received them from her stepfather, Miguel Sumner, who had no bank account and told Wallace that the checks were his paychecks for his demolition and cleaning work. She testified that the unidentified male in the passenger seat was Sumner and that Sumner did not give her the checks until they were at the ATM. She denied having endorsed the checks, claiming that she never actually looked at the checks because she trusted Sumner. Wallace also stated that she had been represented by several attorneys and that, although she signed the continuance order, the advice from one of her attorneys caused her failure to appear. Wallace was not allowed to testify as to what the attorney told her,1 and the attorney did not testify at trial. Finally, Wallace stated that
she was 18 years old in December 2018 and admitted that she had had one misdemeanor conviction involving lying, cheating, or stealing, as well as three or four felony convictions as a juvenile. Wallace’s mother corroborated Wallace’s story, testifying that she dated Sumner during the time Wallace deposited the checks and that Sumner worked in construction.
Starling testified that he did not write the four checks and that they were probably taken from his work truck around December 7, 2018. He stated that, at the time, he worked at a job site and had hired a man, James Watson, and an all-male team for demolition and cleaning work.
BB&T investigator Kevin Wolfe testified that the ATM was a “very sophisticated machine” and had “a number of different functions,” including depositing checks, withdrawing cash, and making balance inquiries. Wolfe opined that an ATM “would be considered a computer.”
After hearing all evidence, the trial court found Wallace guilty of uttering forged checks, obtaining money by false pretenses, computer fraud, and failure to appear. It did not find
Wallace guilty of forgery or identity fraud. The trial court sentenced Wallace to 17 years and 96 months of incarceration, with 13 years and 128 months suspended. Wallace appeals, challenging the sufficiency of the evidence for each conviction. First, Wallace argues that the evidence does not support the computer fraud convictions because an ATM is not a computer and Wallace did not use the ATM “without authority.” Second, Wallace argues that the evidence does not establish that she possessed the requisite intent for uttering forged checks, obtaining money by false pretenses, or computer fraud. Finally, Wallace argues that the evidence did not establish that she “willfully” failed to appear in court.
ANALYSIS
A. Standards of Review
In reviewing the sufficiency of the evidence, we consider the evidence “in the light most favorable to the Commonwealth, the prevailing party below.” Vay v. Commonwealth, 67
Va. App. 236, 242 (2017) (quoting Smallwood v. Commonwealth, 278 Va. 625, 629 (2009)). In doing so, we “discard the evidence of the accused in conflict with that of the Commonwealth, and regard as true all the credible evidence favorable to the Commonwealth and the inferences to
be drawn therefrom.” Bowman v. Commonwealth, 290 Va. 492, 494 (2015) (quoting Kelley v. Commonwealth, 289 Va. 463, 467-68 (2015)).
We defer “to the trial court’s findings of fact unless they are plainly wrong or without evidence to support them.” Brewer v. Commonwealth, 71 Va. App. 585, 591 (2020) (citing
Ramsey v. Commonwealth, 65 Va. App. 694, 697 (2015)). “The fact finder, who has the opportunity to see and hear the witnesses, has the sole responsibility to determine their credibility, the weight to be given their testimony, and the inferences to be drawn from proven facts.” Commonwealth v. Taylor, 256 Va. 514, 518 (1998). Furthermore, “[t]he judgment of a trial court sitting without a jury is entitled to the same weight as a jury verdict” when reviewed on appeal. Martin v. Commonwealth, 4 Va. App. 438, 433 (1987) (citing Code § 8.01-680).
However, “to the extent that the issue on appeal requires the Court to determine the meaning of a statute and its terms, it reviews that issue de novo.” Brewer, 71 Va. App. at 591.
B. The evidence is insufficient to establish that Wallace used the ATM “without authority.”
Wallace challenges her computer fraud convictions under Code § 18.2-152.3. She argues that, first, the ATM she used was not a “computer” under the statute, and second, she did not use the ATM “without authority.” Assuming, without deciding, that the ATM was a computer,2 we find that the trial court misinterpreted Code § 18.2-152.3 in finding that Wallace used it “without authority.”
Under the Virginia Computer Crimes Act (“VCCA”), “[a]ny person who uses a computer or computer network, without authority” and “[o]btains property or services by false pretenses,”
“[e]mbezzles or commits larceny,” or “[c]onverts the property of another” is guilty of computer fraud. Code § 18.2-152.3. Under the VCCA, “[a] person is ‘without authority’ when he knows or reasonably should know that he has no right, agreement, or permission or acts in a manner knowingly exceeding such right, agreement, or permission.” Code § 18.2-152.2. Wallace argues that as a BB&T customer, she had the authority to use the ATM to deposit checks and withdraw cash. The Commonwealth responds that Wallace exceeded her authority by depositing forged checks. The question here is whether a person who uses a computer to obtain money by false pretenses is per se “without authority.”
“When construing a statute, our primary objective is ‘to ascertain and give effect to
legislative intent,’ as expressed by the language used in the statute.” Cuccinelli v. Rector, Visitors of the Univ. of Va., 283 Va. 420, 425 (2012) (quoting Commonwealth v. Amerson, 281
2 We agree with the dissent that the ATM was a “device that accept[ed] information in digital or similar form and manipulate[d] it for a result based on a sequence of instructions.” Code § 18.2-152.2. However, we decline to find that the ATM fell outside the exception of “specialized computing devices that are preprogrammed to perform a narrow range of functions with minimal end-user or operator intervention and are dedicated to a specific task.” Id. The dissent finds that the ATM’s “level of sophistication” was high and that in using the ATM to deposit checks, Wallace was not subject to the “same oversight” of a live-teller transaction. Because Code § 18.2-152.2 does not base the distinction on a machine’s “level of sophistication,” and because the record does not establish how ATM transactions and live-teller transactions are subject to different oversight, we are not ready to reach the same conclusion. Furthermore, we must “decide cases ‘on the best and narrowest grounds available’” under the doctrine of judicial restraint. Commonwealth v. White, 293 Va. 411, 419 (2017) (quoting Commonwealth v. Swann, 290 Va. 194, 196 (2015)); see also Spruill v. Garcia, 298 Va. 120, 127 (2019). Therefore, we decline to reach a finding regarding whether an ATM is a computer under Code § 18.2-152.3.
Va. 414, 418 (2011)). We “presume that the legislature chose, with care, the words it used when it enacted the relevant statute.” Zinone v. Lee’s Crossing Homeowners Ass’n, 282 Va. 330, 337
(2011). In addition, “when the General Assembly has used specific language in one instance, but
omits that language or uses different language when addressing a similar subject elsewhere in the Code, we must presume that the difference in the choice of language was intentional.” Id. Such omission shows “that the General Assembly knows how to include such language in a statute to
achieve an intended objective” and unambiguously expressed “a contrary intention.” Morgan v. Commonwealth, __ Va. __, __ (Dec. 29, 2022). Finally, when a statute is ambiguous, “the rule of lenity [directs] us to adopt a narrow construction, thus reducing exposure to criminal liability.”
Fitzgerald v. Loudoun Cnty. Sheriff’s Off., 289 Va. 499, 508 (2015); see also Morgan, __ Va. at
__ (applying the rule of lenity when a narrow interpretation of a penal statute did not conflict with legislative intent and was not overly restrictive).
Preventing unauthorized access to computers is a primary purpose of computer crime laws. The federal government and all fifty states have “enacted computer crime laws that prohibit ‘unauthorized access’ to computers.” Orin S. Kerr, Cybercrime’s Scope: Interpreting
“Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U.L. Rev. 1596, 1596
(2003); see also Susan W. Brenner, State Cybercrime Legislation in the United States of America: A Survey, 7 Rich. J.L. & Tech. 28, p15 n.37 (2001) (listing state computer crime
statutes). In Virginia, the plain language of the VCCA manifests this legislative intent. The VCCA expressly defines “without authority,” and it is an element of several offenses within the VCCA, including computer fraud. Code §§ 18.2-152.2 and -152.3. The language makes it clear that the computer fraud statute applies only to the unauthorized use of computers and computer networks.
Moreover, the words “without authority” clearly modify “use[] [of] a computer or computer network” in Code § 18.2-152.3, rather than the purposes of such use—that is, obtaining
property or services by false pretenses, embezzlement, larceny, and conversion. Thus, combining Code §§ 18.2-152.2 and -152.3, a computer fraud conviction requires that the defendant either “has no right, agreement, or permission” to use the computer or computer network or uses it “in a manner knowingly exceeding such right, agreement, or permission.” To prove that a defendant knowingly exceeded their authorization, the Commonwealth must first
establish the scope of the right, agreement, or permission. The manner, rather than purpose, of the use must be unauthorized. The dissent argues that our analysis distinguishing the manner and purpose of computer use is “unnecessarily complicated,” but the plain text of the statutes compels such a distinction. The definition of “without authority” explicitly includes “in a manner knowingly exceeding” authorization. Code § 18.2-152.2 (emphasis added). At the same time, the words “without authority” in the computer fraud statute do not modify the enumerated purposes of obtaining property by false pretenses, embezzlement, larceny, and conversion.
A comparison of Code § 18.2-152.3 to Code § 18.2-152.5 further supports this
conclusion. Under Code § 18.2-152.5, “[a] person is guilty of the crime of computer invasion of privacy when he uses a computer or computer network and intentionally examines without authority any employment, salary, credit or any other financial or identifying information . . .
relating to any other person.” (Emphasis added). Unlike in the computer fraud statute, here the words “without authority” modify the examination of information, rather than the use of a computer or computer network. For example, in Ramsey v. Commonwealth, a state trooper ran
inquiries using the Virginia Criminal Information Network (VCIN) for personal purposes, knowing that she was only authorized to do so for criminal justice purposes. 65 Va. App. at
695-96. Although she had authority to use the VCIN, this Court upheld her conviction under Code § 18.2-152.5 because she “was without authority to examine the information on VCIN for non-criminal justice purposes.” Id. at 701. The words “without authority” modify different actions in the computer fraud and computer invasion of privacy statutes. Because both sections
of the VCCA address the “similar subject” of computer crimes, “we must presume that the difference in the choice of language was intentional.” Zinone, 282 Va. at 337.
We reject the Commonwealth’s argument that if a defendant uses a computer to deposit forged checks—or for unlawful purposes more generally—her use is per se without authority under the computer fraud statute. This interpretation would render the words “without authority” in Code § 18.2-152.3 surplusage. In fact, the General Assembly specifically rejected proposals
to remove the words from the statute. See, e.g., Va. St. Crime Comm’n, Computer Crimes Act, Rep. Doc. No. 77, at 10 (2005) (recommending eliminating “without authority” from Code
§ 18.2-152.3 because when “a criminal uses a computer to . . . commit a fraud on another . . . it should not be a possible defense that he had the permission of the owner of the computer to engage in illegal activities”); Senate Bill No. 1163 (Jan. [12], 2005) (amending “[a]ny person who
uses a computer or computer network without authority and with intent to” to “[a]ny person who, through the use of a computer”). Moreover, unlike computer fraud, other computer crimes under the VCCA do not include the “without authority” element. See, e.g., Code § 18.2-152.7:1
(harassment by computer); Code § 18.2-152.5:1 (using a computer to gather identifying information). We must presume that the difference in language was intentional.
The unambiguous language of Code § 18.2-152.3 demonstrates that “without authority”
modifies the use of the computer itself, rather than the purpose of the use. But even if the language were ambiguous, the rule of lenity would nevertheless compel the same interpretation.
If the General Assembly found our traditional fraud statutes insufficient and intended to enhance the punishment for all defendants who use computers or computer networks as a tool in committing false pretenses, embezzlement, larceny, or conversion, it could have made it clear by eliminating the words “without authority” in the computer fraud statute. Absent such an express legislative intent, we refuse to adopt this broad interpretation.
The Commonwealth argues that a person authorized to use a computer can exceed their
authorization, citing Brewer, 71 Va. App. at 592, DiMaio v. Commonwealth, 272 Va. 504, 507-08 (2006), and Barnes v. Commonwealth, No. 2693-98-1, 2000 WL 291436 (Va. Ct. App.
Mar. 21, 2000). While the proposition is correct, none of these cases explore the meaning of “without authority.” In Brewer, we focused on whether a smartphone constituted a “computer.”
71 Va. App. at 591. In DiMaio, the appellant only challenged the sufficiency of the evidence regarding the value of data that he removed from a computer. 272 Va. at 506. Finally, Barnes is an unpublished case that does not interpret “without authority.” As such, these cases are of little value in determining the meaning of “without authority.” See Jones v. Commonwealth, 293 Va.
29, 50 (2017) (“[S]tare decisis does not ‘foreclose inquiry’ into an issue not previously ‘raised, discussed, or decided.’” (quoting Chesapeake Hosp. Auth. v. Commonwealth, 262 Va. 551, 560
(2001))).
While not binding on this Court, well-reasoned opinions from other jurisdictions
interpreting similar statutes support our conclusion that “without authority” modifies the use of computers and computer networks, rather than the purpose of the use. For example, in Commonwealth v. Shirley, 653 S.W.3d 571 (Ky. 2022), the Supreme Court of Kentucky reversed a conviction for unlawful access to a computer when the defendant fraudulently placed barcodes from cheap items onto expensive items and then scanned those barcodes at a Walmart self-checkout register. The court reasoned that the Kentucky statute “[did] not refer to whether the individual is accessing a computer to commit fraud but [did] refer to whether the individual
[was] accessing a computer in the way consented to by the owner.” Id. at 579. Similarly, in People v. Golb, 15 N.E.3d 805 (N.Y. 2014), the Court of Appeals of New York vacated a conviction for unauthorized use of a computer when the defendant used a university computer to send emails criminally impersonating others. The court rejected the prosecution’s argument that
“using the computer to commit a crime cannot be an authorized use” and found that New York’s computer crime statute was “intended to reach a person who accesses a computer system without
permission (i.e., a hacker).” Id. at 814. Finally, in State v. Nascimento, 379 P.3d 484 (Or. 2016), the Supreme Court of Oregon reversed a defendant’s conviction for computer crimes when she
used a lottery terminal to print lottery tickets for herself without paying. The court rejected the “extremely broad definition” that “any time a person uses or accesses a computer for a purpose not permitted by the computer’s owner, the person does so ‘without authorization’ and commits computer crime.” Id. at 490. It found that her “use of the lottery terminal to print [lottery] tickets—as she was trained and permitted by her employer to do—was ‘authorized’ use,” despite its ultimately criminal purpose. Id. at 491. The purpose of computer crime laws in general, as reflected in these cases, is consistent with our analysis of the VCCA’s language.
Under Code § 18.2-152.3, “without authority” is an element of the crime, for which the Commonwealth has the burden of proof.[3] In this case, the Commonwealth presented no evidence to establish the scope of Wallace’s authority to use the ATM or her knowledge that she exceeded such authority. As a bank customer, she had authority to use the ATM to deposit checks and withdraw cash. By depositing a forged check, she used the ATM for an unlawful purpose, but not in an unauthorized manner. The dissent cites as evidence the facts that BB&T