EFF Asks Court To Reconsider Ruling That Would Make Violating Work Computer Policies A Criminal Act

from the surfing-on-the-clock?-that's-a-jailing dept

The EFF is asking the Oregon Supreme Court to take a look at a disturbing opinion issued by the state’s appeals court — one that could see employees face fines and prison time simply for violating company policies.

The case prompting the filing of an amicus brief on behalf of the defendant does contain an element of criminality, but the court’s decision should have been limited to the end result of the defendant’s actions, rather than the actions taken to reach that point.

Caryn Nascimento worked as a cashier at the deli counter of a convenience store. As part of her job, she was authorized to access a lottery terminal in the store to sell and validate lottery tickets for paying customers. Store policy prohibited employees from purchasing lottery tickets for themselves or validating their own lottery tickets while on duty. After a store manager noticed a discrepancy in the receipts from the lottery terminal, it was discovered that Nascimento had printed lottery tickets for herself without paying for them. She was ultimately convicted not only of first-degree theft, but also of computer crime on the ground that she accessed the lottery terminal “without authorization.”

Nascimento appealed the computer crime conviction. She argued that because she had permission to access the lottery terminal as part of her work duties, she did not access the terminal without authorization—as required under the Oregon’s computer crime statute. Unfortunately, the Oregon Court of Appeals affirmed Nascimento’s conviction, finding she had only “limited authorization” to access the lottery terminal for purposes of printing and validating lottery tickets for paying customers, and acted without authorization when she printed them for herself.

At first glance, it almost seems like a reasonable application of the law simply because the end result was theft. But it’s the specifics that make it troublesome. “Without authorization” is far too broad a term to be used in this context. With this reading of Oregon’s law, the appeals court has basically criminalized a wide variety of corporate computer-related policy violations. Actions that would normally be met (in a corporate setting) with warnings and reprimands could now be viewed as criminal acts.

[T]he Court of Appeals’ decision transforms millions of unsuspecting individuals into criminals on the basis of innocuous, everyday behavior—such as checking personal email or playing solitaire on a work computer. Such restrictions, frequently included in employers’ computer policies, are no different than the restriction imposed on Nascimento. They’re ultimately all computer use, not access, restrictions. Upholding Nascimento’s conviction on the basis of a violation of a computer use restriction expands Oregon’s computer crime statute to criminalize violations of any computer use restriction.

The broad reading of Oregon’s criminal statute also poses potential problems outside of the work environment.

The court’s holding that a person acts “without authorization” if she violates a policy regarding the use of a computer that she is otherwise authorized to access could be extended to an Internet user who accesses a website in violation of a written terms of service. For example, Facebook’s terms of use provide that “[y]ou will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.” But as the Ninth Circuit noted en banc, “[l]ying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight.” Under the Court of Appeals’ expansive reading of ORS 164.377, if a user shaves a few years off her age in her profile information, asserts that she is single when she is in fact married, or seeks to obfuscate her current physical location, hometown or educational history for any number of legitimate reasons, she violates the computer crime law. The court’s decision thus opens the door to turning millions of individual Internet users—not just millions of individual employees—into criminals for typical and routine Internet activity.

The EFF points out that rolling back this “unconstitutionally vague” reading of Oregon’s computer crime law doesn’t leave the state without options to punish Nascimento for her actions. She still faces one count of aggravated first-degree theft — a charge the EFF is not disputing. Pointing to previous decisions by the Fourth and Ninth Circuit courts, the EFF states that similarly broad readings of the rightfully-maligned CFAA (Computer Fraud and Abuse Act) have been rejected for potentially criminalizing violations of workplace computer use policies.

The Supreme Court should have no problem rolling back this broad reading and the attendant charge brought against Nascimento. The theft may have been facilitated by improper access that violated company policy, but this access doesn’t rise to the level of a criminal act — even if it ultimately resulted in a criminal action.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “EFF Asks Court To Reconsider Ruling That Would Make Violating Work Computer Policies A Criminal Act”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Who'da thunk it

Eh… kind of. If you have trespassing laws, then the company’s hours of business help determine whether you are trespassing or not. Similarly, if a business has computer policies, whether those policies are being violated could easily determine whether something is a computer crime.

But that works both ways. A store cannot retroactively say you were trespassing because you were shoplifting and they don’t allow shoplifters. Similarly, if you have authorized access to a computer system, then you aren’t accessing it without authorization just because you did something you weren’t supposed to be doing.

Anonymous Coward says:

It would seem like the “without authorization” wording of the law would obviously be aimed at hackers and others who break into computers without necessarily stealing anything tangible. The common legal term “breaking and entering” doesn’t really even apply when a server is accessible to the internet, and programming a client web browser to send a slightly altered line of code might “open things up” in ways the owner never intended.

But as usual, a sloppily-worded law can take on an entirely new meaning, and even the law’s original author is powerless to rein-in these distorted interpretations.

But then let’s not kid ourselves that those standard disclaimers commonly posted on warez servers, like “You are not authorized to download these files” would automatically turn the copyright cops into criminals.

Anonymous Coward says:

Re: Re: blame game

Whoa… you obviously don’t know a thing.

The corruption started there and the court and legal system is the #1 corruption. This system has to be taken down before the rest can be corrupted because everyone, including the politicians have to go through it.

It was corrupt FIRST! And remains the MOST corrupt now. Just ask anyone who is on death row or just in prison for something they did not do. The next most corrupt… Congress…. followed by the Executive Branch.

Anonymous Coward says:

Re: Re: Re:2 blame game

Being the most corrupt is not the same as being the first sinner.

Lets go over some things. The court system was designed to have a jury with it. Why do you suppose that is? How about you just ask the founding fathers why.

Did you know that if a juror mentions they know anything about the concept of Jury Nullification that you will be told to go home? That’s right, if you want to get out of jury duty just say jury nullification.

When you server they will have you swear and oath to uphold the law, which is not why you are there. They will also tell you that you must only decide if they broke it or not. You are there for that & more importantly if that law was justified to begin with. The founding fathers made it clear why a jury should always be required because they already knew how fast a judge and the system can be corrupted. They did not make it so that Congress or the Executive branches required a jury… they did that for the Courts, because that is the place where corruption impacts everyone directly! Congress and write a law, and Executive can try to enforce it upon you, but the courts, they have to find you guilty and that part requires citizens to agree with that, and today those citizens are ignorant and they are also lied too the entire process.

You tell me… a court and a well meaning jury can stop corrupt police from punishing you unjustly… how are they not the most corrupt system running now considering most people work a plea bargain rather than fighting for their rights?

O yes… very corrupt… DAMN CORRUPT! But I guess no more informationally bankrupt than you or the rest of the foul and ignorant electorate that see all as guilty until proven innocent!

Anonymous Coward says:

Re: Re: blame game

oh yes definitely.

The bible says woe unto you lawyers, you increase the burdens upon the people without lifting even a little finger to help them.

the legal system is nothing more than a farce now because Jurors either refuse to stop corruption from jailing innocents or because they are caught in the guilty until proven innocent nature of humanity. They know next to nothing about how their government operates but they seem to think themselves smart. Justice is for those whom can afford to fight for it.

Gopher Guts says:

Re: Grounds for dismissal

The World, in particular, lawyers from large corporations seemed poised to systematically enact and protect policies that are prerequisite for these corporations resolve for sovereignty which will violate an individual’s rights under the law and most in particularly the US Constitution. And it will be protected by the government’s claim of National Security that will preempt any claim of individual rights. Its a very dark road ahead for everyone, whether or not you are employed by these multi-national corporations.

Anonymous Coward says:

Speaking as someone who WRITES policies...

…this is full-blown batshit insane.

I’ve written workplace computer policies for decades, and have, during that time, reviewed innumerable others for ideas, wording choices, etc. They are all — including my own — unreviewed, error-ridden, incomplete, overbroad, inconsistent disasters that would never survive an hour a competent peer analysis and critique. Giving this garbage the force of law is dangerous and absurd.

(You might be wondering, given that paragraph, why I write them. I write them because the incompetent, bureaucratic, worthless morons above me demand that they be written — you see, they’re too stupid to let me just use my best judgment, which is actually very good — so I write them rather than sloughing the task off to ignorant newbies who would do an even worse job than I do.)

fuunu (profile) says:

Working as IT for the federal government I can see the companies and the legal system point of view. After all working for the federal government I am responsible for monitoring the usage of the computer system by the employees and I see a lot of things that could get people in trouble, most looking at porn, however only twice in the last 5 years have I seen someone get fired and get in legal trouble for the computer activities. Both of them had accessed classified materials without proper clearance. While they didn’t leak the material it was still enough to get a massive fine as well as fired.

Anonymous Coward says:

I suppose it all depends how non-computer-based violations of the law are handled.

If I walk into a hardware store, pick up a sledgehammer and bludgeon someone to death with it, and I’m charged with both murder and improper use of that company’s property, then I suppose the computer misuse stuff would make sense.

Pretty sure you don’t normally get charged for the second thing, though.

John Fenderson (profile) says:

Re: Re: Re: Pleabargaining in the '80s was illegal

“when the DA was trying to get the hero to pleabargain, that’s how you knew he was corrupt and on the inside of the conspiracy”

Just like now, outside of the movies. To my ear, a “plea bargain” is pretty much equivalent to the accused being railroaded and indicates a miscarriage of justice on its face.

Gwiz (profile) says:

Re: Re: Re: Pleabargaining in the '80s was illegal

Pleabargaining in the ’80s was illegal

Is was? Do you have a citation for that?

From what I’ve read, plea bargaining started happening in the decades following the Civil War. SCOTUS ruled on plea bargaining in three cases from 1968 to 1971 and found plea bargaining to be constitutional.

I know that some states and localities have passed laws making plea bargaining illegal, but on a whole, in the US, plea bargaining has always been legal, so I am interested as to where you got the idea that “Pleabargaining in the ’80s was illegal”.

Uriel-238 (profile) says:

You know, Gwiz, you’re absolutely right. Plea bargaining was legal (under qualified circumstances) after the Brady v. US ruling in 1970.

I remember also in the news media during the 80s the notion that plea-bargaining was unethical and procedurally unacceptable. It was implied to be criminal for the prosecution and defense to even negotiate outside the court, even with people getting in trouble for trying. This idea was preponderant in the (Los-Angeles-based) television I consumed. So yeah, I, too, wonder where I got that from.

In fictional media, plea-bargaining was regarded as a device of corrupted agents. A plea-bargain attempt pointed to a PA on the take just as much as secret police and preponderance of security cameras pointed to a dystopian police state.

Some time in the 90s, plea-bargaining became not only acceptable, but the norm. Lampshaded thoroughly by Sorkin (albeit in military courts) in A Few Good Men. It’s around the same time as when a handful of SWAT raids made it into the media as a new trend, given that they weren’t hostage-barricade situations, and in one case, shot up a family.

Uriel-238 (profile) says:

Re: In My Perfect World

That’s the problem.

You get the labor force just the right amount of hungry and they’ll suffer a lot of bullshit.

The trick is keeping them the right amount of hungry. If they get too hungry then they burn down the edifices and erect guillotines, and you wind up trying to flee to England.

And the funny thing is that tragedy-of-the-commons will always kill cartels and get the corporates / nobles to push the peasants too far.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...