Update on Unauthorized Access to a Computer

As I noted in a previous post, it is a crime under G.S. 14-454(b) “willfully and without authorization . . .  [to] access[] . . . any computer.” I posed a few scenarios in that earlier post, including one in which a judge tells a law clerk not to use the internet during business hours for non-work-related purposes, but the law clerk nonetheless looks at a sports web site during ACC basketball season. I asked if the law clerk had committed a crime, and suggested that the answer appears to be yes, much to the dismay of law clerks — and other office workers — everywhere.

No state cases address this issue, but thanks to a blog post by Professor Orin Kerr, I recently came across a relevant federal case. (A federal statute, 18 U.S.C. § 1030, makes it a crime to “exceed authorized access” to a computer.) The case is United States v. Rodriguez, __ F.3d __ (11th Cir. Dec. 27, 2010), and the basic holding is that a Social Security Administration employee violated the federal unauthorized access statute when he looked up the Social Security records of some acquaintances for personal reasons, in violation of the Administration’s policy about data access. The court rejected the defendant’s argument that the statute only applies when a person makes criminal or fraudulent use of the information accessed.

Rodriguez isn’t quite analogous to the law clerk hypothetical, because it involves an employee accessing his employer’s own database rather than an outside website. And the facts of Rodriguez are also much creepier than the law clerk example — it sounds like the defendant in Rodriguez was using the information he obtained to pursue women to whom he was romantically attracted. But the court’s endorsement of the simple rule that violating an employer’s limitations on computer use amounts to unauthorized access supports the conclusion that the law clerk committed a crime by checking the web site.

Professor Kerr thinks that Rodriguez is “right on its specific facts,” but is perhaps understandably troubled by the implications for cases like the law clerk hypothetical. He suggests that vagueness doctrine, which requires criminal statutes to delineate clearly between permitted and prohibited conduct, might be a way to restrict the reach of the federal unauthorized access statute. I’m a little skeptical about that with respect to the federal law, and the idea strikes me as a complete non-starter as to the state statute. A very plain definition of “authorization” appears in G.S. 14-453: as it relates to using computers, it means accessing a computer “in a manner not exceeding the consent or permission” of the person in control of the computer. So whether the law clerk’s conduct ought to be criminal or not, under current law, it pretty clearly is criminal.

One last thought. The computer trespass statute, G.S. 14-458, makes it a crime to “use a computer . . . without authority and with the intent to” do several enumerated things, generally involving harm to the computer or theft of data. It’s a Class 3 misdemeanor if no damage is done, and a Class 1 misdemeanor if there’s under $2,500 of damage. Given that G.S. 14-454 makes it a Class 1 misdemeanor to access a computer without authorization, with no proof of purpose required, it seems like prosecutors would be well advised to charge that offense rather than computer trespass. It’s easier to prove — essentially, it’s a lesser included — yet it has at least as strong a penalty. So maybe it should be called a “greater included,” or something.