blank

“Authorization” in the Context of Computer Crimes

I previously wrote a blog post about North Carolina’s computer-related crime statutes. Two of our computer crimes are accessing computers under G.S. 14-454 and accessing government computers under G.S. 14-454.1. Both statutes prohibit willfully accessing computers for the purpose of committing fraud or obtaining property or services by false pretenses. Both statutes also prohibit unauthorized access to computers, regardless of fraudulent intent. G.S. 14-453 defines authorization as having the consent or permission of the owner—or of the person licensed or authorized by the owner to grant consent or permission—to access a computer, computer system, or computer network in a manner not exceeding the consent or permission. I’ve gotten several questions recently about the scope of unauthorized access under these statutes, and today’s post examines how these laws may be applied.

Suppose a police officer is considering dating a woman he met online. The officer, like other officers in the state, has access to a database with information about offenders’ criminal history, outstanding warrants, residence, driver’s license status, and just about anything else stored on any government computer system. Out of sheer curiosity, the officer uses the police database to determine where the woman lives and whether she has a criminal record. Would the officer’s actions be considered unauthorized use within the meaning of G.S. 14-454.1(b)?

What about if a DMV employee uses her work computer to log into her Facebook account? Would this employee’s actions be within the reach of the statute?

We so far do not have any North Carolina precedent interpreting the scope of unauthorized access under these statutes. It is clear that both the officer and the DMV employee are authorized to use the computers due to their status as employees within the department and the fact that they have login information. What is unclear is whether their actions exceed the scope of permissible use within the intended meaning of the statute and justify criminal liability.

Other jurisdictions

Other jurisdictions have long grappled with the distinction between operating a computer system “without authorization” and “exceeding authorized access” by using the computer in an improper manner, for personal reasons, or in violation of a department’s policies.

In a New Jersey case, State v. Riley, 412 N.J. Super. 162 (2009), a defendant police officer viewed a video of a motor vehicle stop conducted by three other police officers, which was stored on the police department’s computer system. The defendant used the police database to view the recordings of the stop for a purpose not permitted by the department’s policy.

The defendant was charged under a New Jersey statutory provision that reads “A person is guilty of computer criminal activity if the person purposely or knowingly and without authorization, or in excess of authorization, accesses any data, data base, computer storage medium, computer program, computer software, computer equipment , computer, computer system or computer network.” N.J.S.A. 2C:20-25(a). The court held that the statute does not reach as far as to cover employees who enjoy password-protected access to computerized information, but who view or use such information in ways or for purposes that their employer prohibits. The court dismissed the charges against the defendant.

Another New Jersey court reached a different result where two employees of the IT division of a police department were alleged to have utilized their administrative passwords to open and read the emails of several high-ranking employees without authorization. State v. Thompson, 444 N.J. Super. 619 (2014). In denying the defendants’ motion to dismiss, the New Jersey appellate court reasoned that although the legislature did not define “in excess of authorization,” the term anticipates an actor with existing authorization such as the defendants who allegedly engaged in criminally culpable activity. To allow defendants to escape culpability because they were not outsiders breaking into the computer system would effectively immunize insiders from the offense. This interpretation would ignore the plain language of the statute prohibiting access of computers “in excess of authorization.”

Federal law

Federal statute 18 U.S.C 1030 (also known as the Computer Fraud and Abuse Act or “CFAA”) prohibits similar conduct and contains similar language. The CFAA provides punishment for any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.”

The Fourth Circuit adopted a narrow interpretation of this law in WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199 (4th Cir. 2012). In this case, Miller resigned from his position working with the WEC. WEC contended that before resigning, Miller, acting at the direction of a competitor, downloaded WEC’s proprietary information and used it in luring WEC’s potential customers. WEC sued Miller for violating the Computer Fraud and Abuse Act (CFAA). The Court held that the terms “without authorization” and “exceeds authorized access” apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access. The Court declined to extend its interpretation to employees who violate a use policy and thus affirmed the dismissal of the claim against Miller.

Conversely, the Fourth Circuit reached a different result in United States v. Steele, 595 F. App’x 208 (4th Cir. 2014) where the defendant was convicted under the CFAA for secretly logging in to the email server of his former employer and gaining access to confidential and proprietary information related to its government contract bids. The Court distinguished the case at hand from Miller, noting that the defendant here was not an employee at the time he improperly accessed the company’s server, so he acted “without authorization” under the plain meaning of the statue. The Court thus affirmed his convictions.

The difference in these decisions draws a clear line of authorization based on employment status. That an authorized user subsequently uses the computer or the information they retrieve for an improper purpose, or in violation of a use policy, will not subject the person to criminal liability under the statute.

Policy implications

Defining the scope of authorization broadly would allow a person with clearly authorized access to use a system for any and all purposes, even if those purposes are in violation of the user agreement or department policy. This could potentially include activities like stalking a girlfriend, snooping on someone, or pirating music. This scope of consent seems unlikely based on the language of the statute because it would, as the New Jersey court noted, create a bizarre result where you’re immune if you’re “in”.

On the other hand, narrowing the scope of authorization would impose liability for any and all uses that fall outside of the user agreement or department policy. By this construction, something as simple as checking personal email, scrolling through Facebook, or booking travel for vacation on a work computer would be a felony. This too would seemingly create an absurd and unreasonably harsh result, and it seems unlikely that the legislature intended the statute to reach so far.

Under the case law discussed above, it appears courts draw a bright line at employment status. Where there is clear authorization, courts draw a much finer and less clear line at the type of information being accessed. It seems that if information could be accessed in the normal course of duties (even if not properly accessed at a given time), like in Riley, then that access will not have exceeded the scope of authorization. Conversely, if the access requires special permission or special privilege, like in Thompson, then the case for prosecution is stronger. [Note: On June 3, 2021, the United States Supreme Court released a decision, Van Buren v. United States, consistent with this analysis. The case summary can be found here.]

The North Carolina statutes involving accessing computers have not been changed since 2002. Perhaps these laws need an examination in light of technological developments (and unanswered questions) since they were last addressed. Until we have guidance from our courts, the different interpretations likely leave room for prosecutorial discretion.

I welcome your thoughts and invite your comments. If you have questions, please feel free to send me an email at bwilliams@sog.unc.edu.

Comments are disabled