EFF Asks Court To Reconsider Ruling That Would Make Violating Work Computer Policies A Criminal Act

Legal Issues

from the surfing-on-the-clock?-that's-a-jailing dept

The EFF is asking the Oregon Supreme Court to take a look at a disturbing opinion issued by the state’s appeals court — one that could see employees face fines and prison time simply for violating company policies.

The case prompting the filing of an amicus brief on behalf of the defendant does contain an element of criminality, but the court’s decision should have been limited to the end result of the defendant’s actions, rather than the actions taken to reach that point.

Caryn Nascimento worked as a cashier at the deli counter of a convenience store. As part of her job, she was authorized to access a lottery terminal in the store to sell and validate lottery tickets for paying customers. Store policy prohibited employees from purchasing lottery tickets for themselves or validating their own lottery tickets while on duty. After a store manager noticed a discrepancy in the receipts from the lottery terminal, it was discovered that Nascimento had printed lottery tickets for herself without paying for them. She was ultimately convicted not only of first-degree theft, but also of computer crime on the ground that she accessed the lottery terminal “without authorization.”

Nascimento appealed the computer crime conviction. She argued that because she had permission to access the lottery terminal as part of her work duties, she did not access the terminal without authorization—as required under the Oregon’s computer crime statute. Unfortunately, the Oregon Court of Appeals affirmed Nascimento’s conviction, finding she had only “limited authorization” to access the lottery terminal for purposes of printing and validating lottery tickets for paying customers, and acted without authorization when she printed them for herself.

At first glance, it almost seems like a reasonable application of the law simply because the end result was theft. But it’s the specifics that make it troublesome. “Without authorization” is far too broad a term to be used in this context. With this reading of Oregon’s law, the appeals court has basically criminalized a wide variety of corporate computer-related policy violations. Actions that would normally be met (in a corporate setting) with warnings and reprimands could now be viewed as criminal acts.

[T]he Court of Appeals’ decision transforms millions of unsuspecting individuals into criminals on the basis of innocuous, everyday behavior—such as checking personal email or playing solitaire on a work computer. Such restrictions, frequently included in employers’ computer policies, are no different than the restriction imposed on Nascimento. They’re ultimately all computer use, not access, restrictions. Upholding Nascimento’s conviction on the basis of a violation of a computer use restriction expands Oregon’s computer crime statute to criminalize violations of any computer use restriction.

The broad reading of Oregon’s criminal statute also poses potential problems outside of the work environment.

The court’s holding that a person acts “without authorization” if she violates a policy regarding the use of a computer that she is otherwise authorized to access could be extended to an Internet user who accesses a website in violation of a written terms of service. For example, Facebook’s terms of use provide that “[y]ou will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.” But as the Ninth Circuit noted en banc, “[l]ying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight.” Under the Court of Appeals’ expansive reading of ORS 164.377, if a user shaves a few years off her age in her profile information, asserts that she is single when she is in fact married, or seeks to obfuscate her current physical location, hometown or educational history for any number of legitimate reasons, she violates the computer crime law. The court’s decision thus opens the door to turning millions of individual Internet users—not just millions of individual employees—into criminals for typical and routine Internet activity.

The EFF points out that rolling back this “unconstitutionally vague” reading of Oregon’s computer crime law doesn’t leave the state without options to punish Nascimento for her actions. She still faces one count of aggravated first-degree theft — a charge the EFF is not disputing. Pointing to previous decisions by the Fourth and Ninth Circuit courts, the EFF states that similarly broad readings of the rightfully-maligned CFAA (Computer Fraud and Abuse Act) have been rejected for potentially criminalizing violations of workplace computer use policies.

The Supreme Court should have no problem rolling back this broad reading and the attendant charge brought against Nascimento. The theft may have been facilitated by improper access that violated company policy, but this access doesn’t rise to the level of a criminal act — even if it ultimately resulted in a criminal action.

Filed Under: caryn nascimento, cfaa, company policies, computer access, computers, hacking, oregon