What does it mean to access a computer without authorization? It’s an important question. North Carolina’s computer crime statutes appear at G.S. 14-453 et seq. Among other things, the statutes make it illegal “willfully and without authorization . . . [to] access[] . . . any computer.” The crime of unauthorized access is more serious if the computer in question is a government computer, or if the person accessing the computer is doing so for fraudulent purposes. The principal federal computer crime statute, 18 U.S.C. § 1030, contains somewhat similar provisions.
At first, the issue of authorization seems straightforward. The North Carolina statutes define “authorization” as “having the consent or permission of the owner . . . to access a computer . . . in a manner not exceeding the consent or permission.” But consider a couple of scenarios.
1. A law clerk is instructed by the judge for whom she works that she should not use her work computer to access the internet, except for legal research. The clerk generally abides by the judge’s policy, but the morning after the Duke-UNC basketball game, she can’t resist going to the Duke Basketball Report to read about the Devils’ big win. Has she “exceed[ed] the . . . permission” of the judge and thereby committed a crime? (I know that some of you would say that rooting for Duke is a crime, but that’s not what I mean!)
2. A high school student joins MySpace under a false name, creating a bogus profile inspired by a satirical character who appeared in a story the student read on The Onion. Although intended as a joke, this violates MySpace’s terms of service policy, which requires all profiles to be created under the user’s true name. Did the student access MySpace’s computer servers “without authorization”?
3. A grant writer for a nonprofit is terminated for poor job performance. She is told to leave the building immediately, but instead, she returns to her office briefly and removes several personal files from her office computer. Has she committed a crime?
Having once been a law clerk who was instructed not to access the internet except to do legal research, I hope that the answer to (1) is no, but I fear that it is a straightforward yes. (I can neither confirm nor deny ever having visited the Duke Basketball Report during my clerkship year, however.)
Scenario (2) is, as they say in Hollywood, “based on a true story,” except the real story is the sad and serious Megan Meier/Lori Drew case, also known as the MySpace suicide case. The case is described here, as is the presiding federal judge’s ruling that violating a website’s terms of service does not amount to accessing a computer without authorization, because “[i]t basically leaves it up to a website owner to determine what is a crime. And therefore it criminalizes what would be a breach of contract.” My immediate reaction is that all crimes involving lack of consent or lack of authorization “leave it up to [the person who grants, withholds or limits consent] to determine what is a crime.” However, the federal Department of Justice initially appealed the ruling, then dropped its appeal — so perhaps the ruling is more soundly grounded than it appears at first blush.
Scenario (3) is a significantly modified version of the facts in State v. Ramos, 363 N.C. 352 (2009). Ramos was reversed based on an instructional error, and the opinion doesn’t really answer the question I posed. Generally, it seems to me that the employer can bar the former employee from accessing the computer, meaning that the conduct described in the scenario is a crime. However, I suspect that as a matter of civil law, the employer must make the employee’s personal files available to the employee within a reasonable period of time, at least if it didn’t violate company policy for the employee to store personal files on her work computer.
If you have other interesting or questionable scenarios to share, please send me an email or post a comment. Those interested in further reading can check out this post about a recent federal court of appeals opinion in this area.
Hm they all are interesting cases. What i see in the second case is that they are shifting the decision on the site owner because they can make a clear one. On the third one well if there isn’t any prohibition on storing personal files on work computers then i agree on your opinion that the employer should give enough time so that the fired employee to retrieve his / her files.
I think the statutes are too loosely worded in this case. I know on my laptop the default setting is to connect to any open wireless networks and have found myself already connected to a unsecured network when I open my laptop to work. I didn’t intentionally connect, my computer did or in the case of a wireless network broadcasting it’s SSID one could argue that it was advertising itself as free and open to use.