State Supreme Court Rolls Back Decision That Would Have Made Violating Company Computer Policies A Crime
from the penalties-range-from-'written-reprimand'-to-'years-in-prison' dept
The Oregon Supreme Court has handed down a ruling that should help prevent the state's computer crime laws from turning into a local level CFAA -- something that can be easily abused by prosecutors to, say, toss someone in jail for two years for 40 minutes of headline altering at a news website.
Caryn Nascimento was arrested for theft after using a convenience store's lottery machine to print off thousands of dollars of tickets she never paid for. But rather than settle for the theft charges, the state chose to charge her with unauthorized use under Oregon's broadly-interpreted computer crimes statute.
The state appeals court upheld the conviction, prompting the EFF to intervene in her case when it headed to the state supreme court. The EFF pointed out that the appeals court decision would criminalize a lot of behavior normally only subject to companies' internal disciplinary processes.
[T]he Court of Appeals’ decision transforms millions of unsuspecting individuals into criminals on the basis of innocuous, everyday behavior—such as checking personal email or playing solitaire on a work computer. Such restrictions, frequently included in employers’ computer policies, are no different than the restriction imposed on Nascimento. They're ultimately all computer use, not access, restrictions. Upholding Nascimento’s conviction on the basis of a violation of a computer use restriction expands Oregon’s computer crime statute to criminalize violations of any computer use restriction.
The Supreme Court has found that, contrary to the lower court's decision, Nascimento did not exceed her authorization when she printed out lottery tickets she never paid for. She did steal, but she was fully authorized to perform every step up to the point of not paying for the tickets.
It is difficult to square the state’s position with the text of ORS 164.377(4). The text establishes a binary division between those who are "authorized" to access or use a computer and those who are not. The text does not distinguish between use that is authorized for certain purposes (such as those permitted by employer policies) and use that otherwise would be authorized but that is inconsistent with those policies. Indeed, subsection (4) of the statute does not focus on the purpose or manner of use at all, but only on whether the access or use is "authorized."
Viewed in that light, the text supports defendant’s assertion that her use of the lottery terminal to print Keno tickets—as she was trained and permitted by her employer to do—was "authorized" use. The fact that she printed the tickets for her own use and did not pay for them may have violated company policies and other parts of the computer crime statute (in addition to the theft statute), but her use was not "without authorization" as that term is used in ORS 164.377(4).
Nascimento was not allowed to print out tickets for herself or do so without paying, but those were violations of company policy, not state law. The theft of funds -- via the unpaid-for lottery tickets -- was a criminal act, but the acquisition of the tickets via a machine she was authorized to use was not.
The court points out [PDF] that reading the state statute in the way prosecutors (and the lower court) interpreted it means adding words that aren't there to the existing law.
As noted, “access” is defined in the computer crime statute as “retriev[ing] data” or “mak[ing] use of any resource on a computer.” ORS 164.377(1)(a). If a person is “empowered” or “permitted”—the dictionary synonyms of “authorized”—by the appropriate authority to “retrieve data” or “make use” of the computer, then that use is “authorized.” Applying those words in their ordinary senses, it is a stretch to suggest that an employee who uses her work computer to send a private email during the work day— or check Facebook or buy a movie ticket—contrary to her employer’s policy against personal use, has “accessed” or “used” the computer “without authorization,” although she may have violated her employer’s policy. Nothing in the text of the statute suggests that the legislature intended such a result. As defendant argues, the state’s interpretation would criminalize not only “unauthorized” use of a computer, but also “authorized use for an impermissible purpose.” Such an interpretation would require adding words to the text of the statute that the legislature did not use. See ORS 174.010 (court may not add words to statute).
It's a good decision that rolls back the lower court's unfortunate expansion of a law already prone to abusive interpretation. This should keep people from being saddled with extra charges just because their criminal activities were committed on a computer.