Friday, January 30, 2009

"Without Authorization"

As I’ve noted before, there are two different kinds of computer hacking (or computer trespass) crimes: Accessing a computer without being authorized to do so (outsider attack) and exceeding the scope of one’s authorized access to a computer (insider attack).

As I’ve also noted, crimes that fall into the first category are usually factually unambiguous; it’s usually pretty easy to prove that an outsider improperly gained access to a computer or computer system.

As I explained in an earlier post, the crimes that fall into the second category can be very factually ambiguous. Here, we’re talking about someone who is legitimately authorized to access a computer system but who goes “too far,” who uses the system in a way that is – explicitly or implicitly – not within the scope of his or her authorization. This post is about a recent federal case that addressed this precise issue.

It’s a civil case: Condux International, Inc. v. Haugum, 2008 WL 5244818 (U.S. District Court for the District of Minnesota). As I’ve noted, 18 U.S. Code § 1030, the basic federal cybercrime statute, creates a civil cause of action for one who has been damaged by a violation of the statute. 18 U.S. Code § 1030(g). In this case, Condux sued Haugum for violating several provisions of §1030, based on these facts:
Condux . . . manufactures and installs tools and equipment used in the electrical utility, electrical contracting, telecommunications, and cable television industries. Haugum . . . worked for Condux . . . as Vice President of Global Sales. As vice president, Haugum was responsible for overseeing sales and marketing for the company, and accordingly, was authorized to access `confidential business information’ (such as Condux's customer lists, pricing and sales data, profit-margin data, and engineering drawings of Condux's products) stored on Condux's computer system. Condux's employee handbook provides that confidential business information owned by Condux is not to be misappropriated by employees for their own personal benefit.

In November 2007, Haugum exchanged emails with a former Condux employee indicating [he] was considering quitting his job and starting his own competing business. Condux alleges that in December 2007, Haugum requested that an employee in Condux's information technology department send him an electronic list of Condux's customers and their contact information. Also, Condux asserts, Haugum downloaded over forty engineering drawings from Condux's computer system in January 2008. Soon thereafter, Haugum announced his resignation and left Condux on February 15, 2008.

Condux asserts that since Hagum's departure, it has learned [he]`attempted to delete evidence of his download of the engineering drawings’ and discovered a document drafted by Haugum that included a resolution to develop a business to compete with Condux. Condux alleges further that Haugum has (1) approached one of Condux's distributors about doing business directly with Haugum; (2) exchanged emails with a former Condux employee in which the former employee agreed to send Condux's confidential business information to Haugum; and (3) `directed’ the former employee to delete evidence of those emails and the accompanying transfer of confidential business information. Condux claims that Haugum's activities in obtaining the confidential business information were wrongful . . . and that Condux has suffered damages as a result.
Condux v. Haugum, supra.

Condux specifically alleged that Haugum violated 18 U.S. Code §§ 1030(a)(2)(C), 1030(a)(4) and 1030(a)(5)(A). Haugum filed a motion to dismiss the suit, claiming that Condux had not adequately stated a claim for damages under any of these sections.

The federal judge began her analysis of his motion to dismiss by explaining that a
violation of subsection (a)(2)(C) occurs when a person intentionally accesses a computer without authorization or in excess of authorized access and thereby obtains information from a `protected computer if the conduct involved an interstate or foreign communication. . . . Subsection (a)(4) is violated if a person knowingly and with intent to defraud, accesses a protected computer without authorization or in excess of authorized access and by means of such conduct obtains anything of value. . . . And a violation of subsection (a)(5)(A) occurs when a person intentionally accesses a protected computer without authorization and as a result of such conduct causes or recklessly causes damage. . . . Thus, violations of subsections (a)(2) and (a)(4) require allegations that Haugum accessed Condux's computers either without authorization or in excess of authorized access, while violations of subsection (a)(5)(A)(ii) and (iii) require an allegation that Haugum accessed a protected computer without authorization
Condux v. Haugum, supra. Haugum argued that Condux didn’t have a valid claim under any of the sections because
his position as vice president `authorized’ him to access Condux's computer system and specifically to access the confidential business information and, therefore, Condux is unable to allege that he acted without authorization or in excess of authorized access. Condux does not dispute that Haugum was permitted to access the confidential business information; instead, Condux contends that Haugum was without authorization or exceeded his authorized access because he was `never authorized . . . to access its computer system to misappropriate confidential business information for his personal competitive use.’ In other words, Haugum was without authorization or exceeded his authorized access because of his wrongful intended use of the confidential business information.
Condux v. Haugum, supra.

Courts are divided on this issue. Some have found that an employee acts without authorization or exceeds authorized access when he accesses confidential or proprietary business information from his employer's computers which he is authorized to access but then uses that information in a manner that is inconsistent with the employer's interests or violates contractual obligations or fiduciary duties Other courts have taken a narrower view and held that §1030 is implicated only by the unauthorized access, obtainment, or alteration of information, not the misuse or misappropriation of information obtained with permission. Condux v. Haugum, supra. The Condux judge decided the latter position is the correct one:

The interpretation advanced by Condux . . . focuses on what a defendant did with the information after he accessed it (use of information), rather than on the appropriate question of whether he was permitted to access the information in the first place (use of access). Had Congress intended to target how a person makes use of information, it would have explicitly provided language to that effect. . . . [O]ne need look no further than another subsection of § 1030 to see explicit language that targets a person's use of information. See 18 U.S.C. § 1030(a)(1) (prohibiting the access without authorization or in excess of authorized access and subsequent `communicat[ion], deliver[y], or transmi [ssion]’ of certain information.) Thus,`the plain language of [subsections (a)(2), (a)(4), and (a)(5)(A)(ii) and (iii) ] target “unauthorized procurement or alteration of information, not its misuse or misappropriation.’“
Condux v. Haugum, supra.

The judge therefore granted Haugum’s motion to dismiss Condux’s § 1030 claims, noting that there was “no dispute that Haugum, as Vice President of Global Sales, was permitted to access Condux's computers. Therefore, he was not `without authorization’ when he accessed the computers. Additionally, because he was permitted to access the specific confidential business information, he did not `exceed authorized access.’” Condux v. Haugum, supra. The judge also noted that this did not leave Condux without recourse because it could pursue state law claims such as misappropriation of trade secrets, misappropriation of confidential business information, breach of fiduciary duties, and unfair competition. Condux v. Haugum, supra.

I think this judge got it right, given how § 1030 is currently written. And I’m not sure I would want to see it revised to make it encompass Condux’s theory of wrongful access. It seems to me the more logical option, if we decide any changes are needed, would be to make the basic act of gaining unauthorized access to a computer system or exceeding authorized access to such a system a crime (and civil cause of action); then we could make it a more serious crime (an aggravated wrongful access crime) to do that AND use the data accessed in a manner that is harmful to the rightful owner of the computer system. That would preserve the notion of wrongful access as digital trespass while still giving the statute a way to address egregious instances of wrongful access.

No comments: