I previously wrote a blog post about North Carolina’s computer-related crime statutes. Two of our computer crimes are accessing computers under G.S. 14-454 and accessing government computers under G.S. 14-454.1. Both statutes prohibit willfully accessing computers for the purpose of committing fraud or obtaining property or services by false pretenses. Both statutes also prohibit unauthorized access to computers, regardless of fraudulent intent. G.S. 14-453 defines authorization as having the consent or permission of the owner—or of the person licensed or authorized by the owner to grant consent or permission—to access a computer, computer system, or computer network in a manner not exceeding the consent or permission. I’ve gotten several questions recently about the scope of unauthorized access under these statutes, and today’s post examines how these laws may be applied. Continue reading
Tag Archives: unauthorized access
As I noted in a previous post, it is a crime under G.S. 14-454(b) “willfully and without authorization . . . [to] access[] . . . any computer.” I posed a few scenarios in that earlier post, including one in which a judge tells a law clerk not to use the internet during business hours for non-work-related purposes, but the law clerk nonetheless looks at a sports web site during ACC basketball season. I asked if the law clerk had committed a crime, and suggested that the answer appears to be yes, much to the dismay of law clerks — and other office workers — everywhere.
No state cases address this issue, but thanks to a blog post by Professor Orin Kerr, I recently came across a relevant federal case. (A federal statute, 18 U.S.C. § 1030, makes it a crime to “exceed authorized access” to a computer.) The case is United States v. Rodriguez, __ F.3d __ (11th Cir. Dec. 27, 2010), and the basic holding is that a Social Security Administration employee violated the federal unauthorized access statute when he looked up the Social Security records of some acquaintances for personal reasons, in violation of the Administration’s policy about data access. The court rejected the defendant’s argument that the statute only applies when a person makes criminal or fraudulent use of the information accessed.
Rodriguez isn’t quite analogous to the law clerk hypothetical, because it involves an employee accessing his employer’s own database rather than an outside website. And the facts of Rodriguez are also much creepier than the law clerk example — it sounds like the defendant in Rodriguez was using the information he obtained to pursue women to whom he was romantically attracted. But the court’s endorsement of the simple rule that violating an employer’s limitations on computer use amounts to unauthorized access supports the conclusion that the law clerk committed a crime by checking the web site.
Professor Kerr thinks that Rodriguez is “right on its specific facts,” but is perhaps understandably troubled by the implications for cases like the law clerk hypothetical. He suggests that vagueness doctrine, which requires criminal statutes to delineate clearly between permitted and prohibited conduct, might be a way to restrict the reach of the federal unauthorized access statute. I’m a little skeptical about that with respect to the federal law, and the idea strikes me as a complete non-starter as to the state statute. A very plain definition of “authorization” appears in G.S. 14-453: as it relates to using computers, it means accessing a computer “in a manner not exceeding the consent or permission” of the person in control of the computer. So whether the law clerk’s conduct ought to be criminal or not, under current law, it pretty clearly is criminal.
One last thought. The computer trespass statute, G.S. 14-458, makes it a crime to “use a computer . . . without authority and with the intent to” do several enumerated things, generally involving harm to the computer or theft of data. It’s a Class 3 misdemeanor if no damage is done, and a Class 1 misdemeanor if there’s under $2,500 of damage. Given that G.S. 14-454 makes it a Class 1 misdemeanor to access a computer without authorization, with no proof of purpose required, it seems like prosecutors would be well advised to charge that offense rather than computer trespass. It’s easier to prove — essentially, it’s a lesser included — yet it has at least as strong a penalty. So maybe it should be called a “greater included,” or something.
What does it mean to access a computer without authorization? It’s an important question. North Carolina’s computer crime statutes appear at G.S. 14-453 et seq. Among other things, the statutes make it illegal “willfully and without authorization . . . [to] access[] . . . any computer.” The crime of unauthorized access is more serious if the computer in question is a government computer, or if the person accessing the computer is doing so for fraudulent purposes. The principal federal computer crime statute, 18 U.S.C. § 1030, contains somewhat similar provisions.
At first, the issue of authorization seems straightforward. The North Carolina statutes define “authorization” as “having the consent or permission of the owner . . . to access a computer . . . in a manner not exceeding the consent or permission.” But consider a couple of scenarios.
1. A law clerk is instructed by the judge for whom she works that she should not use her work computer to access the internet, except for legal research. The clerk generally abides by the judge’s policy, but the morning after the Duke-UNC basketball game, she can’t resist going to the Duke Basketball Report to read about the Devils’ big win. Has she “exceed[ed] the . . . permission” of the judge and thereby committed a crime? (I know that some of you would say that rooting for Duke is a crime, but that’s not what I mean!)
2. A high school student joins MySpace under a false name, creating a bogus profile inspired by a satirical character who appeared in a story the student read on The Onion. Although intended as a joke, this violates MySpace’s terms of service policy, which requires all profiles to be created under the user’s true name. Did the student access MySpace’s computer servers “without authorization”?
3. A grant writer for a nonprofit is terminated for poor job performance. She is told to leave the building immediately, but instead, she returns to her office briefly and removes several personal files from her office computer. Has she committed a crime?
Having once been a law clerk who was instructed not to access the internet except to do legal research, I hope that the answer to (1) is no, but I fear that it is a straightforward yes. (I can neither confirm nor deny ever having visited the Duke Basketball Report during my clerkship year, however.)
Scenario (2) is, as they say in Hollywood, “based on a true story,” except the real story is the sad and serious Megan Meier/Lori Drew case, also known as the MySpace suicide case. The case is described here, as is the presiding federal judge’s ruling that violating a website’s terms of service does not amount to accessing a computer without authorization, because “[i]t basically leaves it up to a website owner to determine what is a crime. And therefore it criminalizes what would be a breach of contract.” My immediate reaction is that all crimes involving lack of consent or lack of authorization “leave it up to [the person who grants, withholds or limits consent] to determine what is a crime.” However, the federal Department of Justice initially appealed the ruling, then dropped its appeal — so perhaps the ruling is more soundly grounded than it appears at first blush.
Scenario (3) is a significantly modified version of the facts in State v. Ramos, 363 N.C. 352 (2009). Ramos was reversed based on an instructional error, and the opinion doesn’t really answer the question I posed. Generally, it seems to me that the employer can bar the former employee from accessing the computer, meaning that the conduct described in the scenario is a crime. However, I suspect that as a matter of civil law, the employer must make the employee’s personal files available to the employee within a reasonable period of time, at least if it didn’t violate company policy for the employee to store personal files on her work computer.
If you have other interesting or questionable scenarios to share, please send me an email or post a comment. Those interested in further reading can check out this post about a recent federal court of appeals opinion in this area.
