The law is murky on what constitutes legal authorization and use of computer data
In Greek mythology, Cassandra was cursed with the ability to know the future, and with the inability to effectively warn anyone about it. Her warnings about the origins of the Trojan/Greek war went unheeded and she was treated as a mad woman. The story of Cassandra may be a warning for today.
At about 2:20 p.m. on Nov. 10, people in the Florida Department of Health started receiving messages from the emergency messaging application called ReadyOPS. Members of the messaging group “StateESF-8.Planning” received a message that warned them about the novel coronavirus, and advised them that it was “time to speak up” in light of more than 17,000 dead in Florida and that they should “speak out before it is too late.” The ReadyOPS application, which is used by the Department of Health and others, is accessible to an undisclosed number of users, all of whom apparently use the same userid and password.
The message was delivered to about 1,700 users of the ReadyOPS system before the Bureau of Preparedness and Response of the Department of Health was able to rein in the message. An examination of the log files pointed to a specific Comcast IPv6 address, which the affidavit of the investigator indicated “sent the group text” and that the investigator resolved that IP address to former Health Department employee Rebecca Jones “through the use of investigative resources.” The police then executed a search warrant on Jones’ residence, seizing her computers and phone upon a showing of probable cause to believe that Jones’ devices had evidence of a violation of Florida’s Computer Crime statute, which provides:
(2) A person commits an offense against users of computers, computer systems, computer networks, or electronic devices if he or she willfully, knowingly, and without authorization or exceeding authorization:
(a) Accesses or causes to be accessed any computer, computer system, computer network, or electronic device with knowledge that such access is unauthorized or the manner of use exceeds authorization.
The statute parallels the language in the federal computer crime statute, which makes it a crime to “access” a computer “without authorization” or in excess of authorization. But what do these terms really mean? When is a user using a computer “in excess” of authorization?
Just a week before, on Nov. 30, the U.S. Supreme Court heard oral argument in the case of Van Buren v. United States, involving a Georgia police officer who accessed the National Crime Information Computer (NCIC) database, which is restricted for use by law enforcement and related individuals “for law enforcement purposes.” Having accessed the database as a cop with a valid userid and password, Van Buren went on to use the data for non-law enforcement purposes—passing the data on to an associate for money. Obviously, Van Buren could be fired and prosecuted for corruption, mail and wire fraud, embezzlement, theft, misappropriation, “honest services” fraud and possibly false statements or false certifications, among other things. But was this an “access” to a computer in “excess” of his authorization? Did Van Buren “hack” the NCIC computer?
Courts have been struggling with determining which uses of a computer are “authorized” and which uses “exceed” authorization, and what standard to apply. The broad approach says that the “owner” or operator of the computer, network or data gets to determine not only who can access the computer or data, but for what purposes they can access and use the computer or data. The owner “authorizes” the “access.” Any access or use of the computer or data that is not specifically authorized by the owner is either “unauthorized” or exceeds the scope of authorization. As a result, we can inquire about the motive or intent of the user who uses authorized credential to access a database or network or device to which they have authorization, but does so for a purpose that is either not authorized or that is specifically prohibited.
An example: A real estate salesman accesses his company’s database with credentials to see the latest leads on people who might be interested in buying property. You know, the Glengarry leads—the premium leads. They take the Glengarry leads and use them not for the benefit of their own company but to give to a competitor or to start their own business. Did they “embezzle” information? Probably. Did they deprive their employer of their “duty of loyalty?” Sure. Did they commit “hacking?” It’s a very slippery slope. Every time a user with credentials uses a computer for a purpose for which they were not authorized or uses data they access through a computer for a purpose not authorized, they run the risk of being prosecuted for “accessing” that data “in excess of authorization.” And it need not be secret data, since it is the “access” that must exceed authorization.
Most recently, employees of a trucking company “accessed confidential company information from their company-issued computers and cell phones and then utilized the information in violation of company policy.” Because the federal computer crime statute contains both a civil and criminal provision, their employer sued them for the crime of computer hacking. The federal appeals court on Sept. 9 found that the actions of the employees did not violate the hacking statute—it does not apply when someone with authorization to get data uses that data for an improper or unapproved purpose, but “that in utilizing the phrase “exceeds authorized access,” the CFAA targets one who initially “gain[s] entrance to . . . a system, network, or file” with “sanction or permission,” and then “gain[s] or attain[s]” “information” that, in the words of the statute, she is “not entitled so to obtain . . . .” Mere violations of rules or policies alone do not a hacker make.
Presumably, we will soon learn what underlying information FDLE has to support the search warrant and how it got it. And then we can learn whether Jones did or did not send the message to the group chat, and whether that “exceeded the scope” of her authorization. You know, like Cassandra warning about the (original) Trojan horse. And Cassandra’s warnings similarly went unheeded.