The Rockford Register Star has a story about a man who was convicted of a crime for using the unencrypted wireless network of a nearby non-profit agency without first obtaining the agency’s permission. The article doesn’t say, but I gather the prosecution was brought under the Illinois computer misuse statute, which prohibits unauthorized access to a computer. The prosecution appears to have been a largely symbolic one for deterrent effect: the defendant pled guilty and received a $250 fine plus a year of court supervision, and the prosecutors released statements to the press about how this should be a warning to others.
I have written a long law review article on when access to a computer network should be consider “unauthorized,” and I won’t repeat the argument here. But one of the interesting stories in criminal law in the last decade or so is the remarkably expansive interpretation courts have given to these new computer misuse statutes. Much of the problem is that the federal statute has civil remedies, and businesses have used these remedies to get federal jurisdiction in all sorts of spats over competitors and opponents. Courts are much more likely to construe the language broadly in civil cases than in criminal cases: it takes a lot less to convince a judge to stop a sneaky business practice than it does to convince a judge to put someone in jail for that practice.
A good example is the recent Posner opinion in International Airports v. Citrin, which adopts the remarkable position that an employee who uses his employer’s computer with a subjective intent to help his employer’s competitor is committing an unauthorized access under federal law. Under Posner’s view, the statute acts as sort of a nationwide employee loyalty test. Maybe there is an argument that this makes sense in civil cases, but it seems like an astonishing interpretation for a criminal statute.
As a response to the general matter: I think the trouble revolves around how an individual is expected to determine whether access is authorized.
Let us say that we adopt the position that connecting to unsecured wireless networks without express permission is illegal.
Then what are we to make of someone who runs a service that allows anyone on his local network to download files. Now say that he hasn’t given his permission to anyone to connect to and use this access. Further say that legally acquired but copyrighted material is accessible as a result.
Is the individual liable for unauthorized distributing copyrighted material?
And simultaneously an individual accessing the information would be guilty of misuse?
How is the accessing individual to know that access is not available by intention and that the network owner had the necessary rights to distribute the information thus available?
Computer misuse statutes seem to be stuck in the “war-dailing” era of computing where intentions were essentially universally aligned with providing restricted access to scarce, expensive resources and proprietary information.
[OK Comments: Much of this concern is addressed through mens rea requirements, such as intent, knowledge, etc.]
Not sure I follow Orin’s response. Take 18 U.S.C. s 1030(a)(5)(A)(iii):
Orin, are you saying that the person has to intend not only to access the computer, but intend that such access be unauthorized? (Haven’t read your article yet, sorry.) If not, then I think Paul’s hypothetical has some force. A lot of people don’t care whether their neighbors (as opposed to wardrivers) access their WiFi network. Absent other cues (e.g., SSID hasn’t been changed from default, indicating neophyte user), how is a neighbor supposed to tell if access is authorized or not?
[OK Comments: Yes, the mens rea applies to authorization as well as access. For the most part, "access" is merely use; essentially all access is intentional access. The crux of the issue is the mens rea for the lack of authorization.]
I’m wondering whether Orin is reading Posner’s opinion too broadly.
Posner is basically saying that the second an agent breaches his fiduciary duty to his principal, the agent is no longer authorized to access the computer the principal gave to the agent to carry out the principal’s objectives. “Citrin’s breach of his duty of loyalty terminated his agency relationship … and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”
Would this reasoning really extend to any employee “who uses his employer’s computer with a subjective intent to help his employer’s competitor”?
[OK comments: What's the argument that it wouldn't?]
The issue that you’re wrestling with, both in the post and in the NYU piece, is the issue of boundaries. Colloquially, network and computer administrators and users expect to implement them and to encounter and navigate them. Implicitly, computer crime statutes (and other access-regulating regimes, including but not limited to contract law) assume that they exist and can be identified. The debate is over how to do so, both ex ante and ex post, given the fact that the law rarely lays this out explicitly. I put my own views, which focus on civil litigation rather than criminal law, in a piece in the Boston College Law Review that was published around the same time as the NYU article.
Orin,
What you’re suggesting is an excellent idea. In fact, it solves a whole host of problems if applied in a wider context.
I’ve argued for years that the Internet ought to adopt a “fencing out” legal standard. States in the western U.S. that have a ranching tradition are either “fencing in” or “fencing out” states. If you are a cattle rancher in a “fencing in” state, the onus is on you to fence your cattle in so that they will not harm the property of others. If, however, you live in a “fencing out” state, the cattle roam free and the burden is on the landowner to protect his property by building a fence around it.
The same standard ought to be applied to the Internet. Not only does this address the “unauthorized access” problem, it addresses deep linking, bandwidth “theft,” a variety of copyright issues, etc.
The default state of the Internet ought to be freedom and unfettered access. If someone wants to limit access to their websites and servers, the burden ought to be on them, especially since the technological means to do so are readily available. The law ought to be invoked only when someone intentionally circumvents the owner’s “fence.”
OTS, I think your proposal isn’t all that helpful without a far more articulated description of “fence” and “circumvention.”
It is no secret that most home PCs (Wintel boxes, anyway) are unsecured against numerous exploits. Worse, new exploits emerge on a daily basis. Under a “fence out” approach, am I simply SOL if — despite my best efforts, including installing current security patches and running a firewall — a network intruder (or, more likely, a worm) succeeds in rooting my machine?
Mark,
The kind of intrusions you’re talking about typically involve installing a piece of code on the compromised machine — it’s not a question of simple “access.” To continue the analogy, if you fail to build a fence, you neighbor’s cattle can roam across your property. But that doesn’t mean your neighbor can use your property to build a barn for them.