Monday, September 21, 2009

"Authorization" -- Follow-up

This is a follow-up to what I said at the end of my last post, i.e., that conflating damage and authorization misinterprets and misapplies “access” crimes.

I thought of a way to illustrate what I mean. As I’ve probably noted before, criminal law makes “burglary” a crime. Basically, to commit burglary I must (i) enter a building or other property knowing I’m not authorized to do so (trespass) (ii) with the intent to commit a crime once inside (e.g., arson, theft, murder). So if I break into your house intending to steal whatever I can find inside, I’ve committed burglary.

Under some statutes, like the Model Penal Code, the crime of burglary and the target crime (the crime I intend to commit once I’m inside) merge, which means I can’t be convicted of both. Under many modern statutes, they don’t merge; that’s because the modern trend in U.S. criminal law (anyway) is to break offenses into their separate parts and allow liability to be imposed for each part.

But for the purposes of this analysis, let’s go with the formulation of burglary as (i) trespassing on property (ii) in order to commit a crime once I’m there. It seems to me there’s something of an analogy between burglary, in this sense, and the “access” crimes like those defined by 18 U.S. Code § 1030.

And that brings me back to authorization: I think § 1030 is a kind of burglary statute. Section 1030 doesn’t make simple trespass (gaining access to a computer without being authorized to do so) a crime; it only makes computer trespass a crime if the person who trespassed into a computer system caused damage to the system or data inside it.

If I’m right about that, then the Ninth Circuit was correct in its interpretation of what it means for access to be “unauthorized” and the Seventh Circuit erred in Citrin. If we look at the “access” crimes defined by § 1030 and other statues, it seems pretty clear that they’re computer burglary statutes. As far as I can tell (based on a lot of prior research and some quick refresher research I just did), all the “access” crimes in U.S. law (and, I believe, in the “access” statutes in force in many other countries, as well) require both unauthorized access (trespass) and the commission of a crime (damaging, deleting, copying data, etc.) for the person to be held liable.

That structure of the crimes inferentially established, IMHO, that the “authorization” and “damage” analyses are separate and sequential, as I noted at the end of my last post. They operate a lot like the analysis of a burglary charge: You first have to ask if the person trespassed (gained entry to property without being authorized to do so). If they did, then you go on to the second element: whether the intended to and did commit a crime once inside. If the facts establish both elements, you have burglary. If they only establish the first element, then you have criminal trespass. And if they only establish the second element, you only have the crime the person committed once inside; so you could only charge the person with arson, murder, theft, etc.

I think that’s exactly how we should approach “access” crimes like those defined under § 1030. If the facts don’t show that the access to the system was unauthorized, then we have to prosecute the person (usually, the faithless employee) for what he or she really did, i.e., theft (copied data and took the copy), vandalism/property damage (destroyed data or altered it so it’s useless), etc.

As to charging the person with theft, some state statutes specifically criminalize “computer theft.” A Minnesota statute, for example, makes it a crime to “intentionally and without claim of right” take, transfer or retain possession of computer software or data. Minnesota Statutes § 609.89. I find it interesting that this statute has two provisions: The first makes it a crime to access a computer without authorization to steal data; the second makes it a crime to take, transfer or retain data. So what Minnesota apparently did was to create both an “access” (computer burglary) crime and a “theft” (computer theft) crime.

Out of curiosity, I checked to see if any state statutes define a separate crime of “computer damage” which could be used when the “access” element failed but the evidence proves the person damaged data. I only found a few. Minnesota (again) has a statute that makes it a crime to “intentionally and without authorization” damage or destroy a computer, computer network or computer data. Minnesota Statutes § 609.88. I found one or two similar statutes in other states, and more may be out there.

Section 1030 doesn’t have this residual option for charging someone with theft or damage . . . which is probably why the Citrin court and a few other courts have tried to expand the “authorization” element. I think it would be better to add a theft and/or damage alternative to § 1030.


Lokkju said...

The problem with "access" and "modify" (damage) when discussing computer crime is that the simple act of accessing *also* will modify or damage the device - or even at the least "copy" data - triggering another crime.

For example, let take a scenario of someone entering a house without permission - which is simple trespass. While in the house, they read the titles of the books on your bookshelf, and perhaps even read a little bit of an upcoming paper you will be publishing. I can't really think of any extra crime you could charge them with, and I would argue that in fact, they have not committed any crime other than simple trespass at that point.

Now, lets take a computer trespass:
Someone access a computer system without authority, or exceeds their authority. While in the computer system, they browse the filesystem, and peek into a few files. At this point, they have now accessed (obviously), modified (the memory and most likely the data on the hard drive has been at least slightly modified), and copied data (by looking at files). They *may* even have deleted data, since unused memory most likely was overwritten during their activities.

I don't really know what my point is here - other than that almost every analogy between the physical and computer worlds fails miserably.

Dorian Gray said...

I tend to agree with - "other than that almost every analogy between the physical and computer worlds fails miserably."

I believe that technology has advanced to the point that prior legal metaphors and analogies are obsolete and no longer able to be used in a context to be of value.

But, for some reason, we still try in vain.

New frontiers sometimes demand a shift in paradigm in how we relate to this fresh subject matter.