On Beauty Queens, Hackers and the U.S. Supreme Court
The U.S. Supreme Court may ultimately decide whether a Florida beauty queen and her mother are criminals, and indeed, the entire scope of the computer crime statute. According to reports in the Washington Post, 50-year-old Laura Rose Carroll, an assistant principal in the Escambia County School District in Cantonment (near Pensacola, Florida), used her access to school district computers not only to monitor the activities (and grades) of her daughter, a student at J.M. Tate High School (go Aggies!), but ultimately to allow her daughter to “rig” the election for homecoming queen.
While the details are a bit confusing, it appears that Carroll allowed her daughter to use her credentials to gain privileged access to an internal school system called FOCUS, and that permitted the daughter not only to see the records of her friends and others in the high school, but also to access an online voting system, called Election Runner, used by the school.
The daughter used the access to cast 117 additional votes for herself, triggering warnings in the cloud-based election software when all of the votes came from the same IP address. Oops. Mom and daughter were criminally charged with one count each of offenses against users of computers, computer systems, computer networks and electronic devices (a 3rd degree felony), unlawful use of a two-way communications device (a 3rd degree felony), criminal use of personally identifiable information (a 3rd degree felony) and conspiracy to commit these offenses (a 1st degree misdemeanor).
This is where things MAY get murky. The Florida computer crime statute makes it a crime to “willfully, knowingly, and without authorization …access[] or cause[] to be accessed any computer, computer system, or computer network [and] …take[] …equipment or supplies used or intended to be used in a computer, computer system, or computer network… for the purpose of devising or executing any scheme or artifice to defraud or obtain property.”
The “two-way” communications crime is even more bizarre. The “two-way communications” crime makes it a felony in Florida to use “a two-way communications device … to facilitate or further the commission of any felony.” The personal information crime makes it an offense to “willfully and without authorization fraudulently uses, or possesses with intent to fraudulently use, personal identification information concerning another person without first obtaining that person’s consent.”
Presumably, the daughter used the mother’s credentials in logging into the computer without mom’s consent. Focusing on the computer crime statute, the Florida law would require proof that either mother or daughter accessed the school’s computer “without authorization,” which is defined as without “empowerment, permission, or competence to act.” Did mom not have “permission” to access the school district’s computers? Did she not have the “power” to do so? Did she not have the “competence” to access? Sure, what she did once she accessed the computer system (assuming it was her) was not authorized, but the statute makes it a crime to “access” without authorization, not to access with authorization and then do something you are not authorized to do.
Sure, you could argue that, when the assistant principal logged into the school computer for a purpose other than what she was permitted to do, she was “accessing” the computer without authorization, or that, having logged in with permission, her permission was withdrawn when she did something that the school did not want her to do, but that’s a stretch of the term “access without authorization.” The U.S. Supreme Court is currently considering an appeal of a case involving Nathan Van Buren, a Georgia police officer who used his authorization to access a federal criminal database not for his authorized purposes as a police officer, but for personal financial gain. He was convicted under the federal computer crime statute which, unlike the Florida counterpart, makes it a crime not only to “access a computer” without authorization, but to “exceed authorization” to access the computer. The federal appeals court rejected Van Buren’s argument that he was innocent because “he accessed only databases that he was authorized to use,” albeit for inappropriate reasons, writing that, in the opinion of that court, you exceed authorized access when you use authorized access to obtain or alter information in the computer that the accessor is not entitled [so] to obtain or alter.” But even under this definition, Van Buren was “authorized to access” the data and the database, just not for the purposes for which he did. While it’s a subtle distinction, it has grave consequences. If “unauthorized access” or “exceeding authorized access” means “doing something that the owner of the computer or network doesn’t want you to do,” then violations of Terms of Service or license agreements, or work rules, or employment policies become not only cause for discipline or being kicked off a network, but become multiple felonies. As the Florida beauty queen case shows, the “unauthorized access,” which used a “two-way” communication device and someone’s user ID and password, become three distinct felonies. So if your company has a rule against accessing personal email at work and you violate that rule, BAM! Thirty years in prison.
An employee who violates a nondisclosure agreement or uses data in a database to violate a noncompete agreement is committing felony computer crime. Sometime this term, the U.S. Supreme Court will clarify what is currently a split among the federal circuit courts over whether accessing a computer and then doing something that the computer or data owner doesn’t specifically authorize (or prohibits) is – or should be – a federal (or, by implication, state) crime. Until then, we can expect more beauty queens to have to face the music.
