This is a follow-up to what I said at the end of my last post, i.e., that conflating damage and authorization misinterprets and misapplies “access” crimes.
I thought of a way to illustrate what I mean. As I’ve probably noted before, criminal law makes “burglary” a crime. Basically, to commit burglary I must (i) enter a building or other property knowing I’m not authorized to do so (trespass) (ii) with the intent to commit a crime once inside (e.g., arson, theft, murder). So if I break into your house intending to steal whatever I can find inside, I’ve committed burglary.
Under some statutes, like the Model Penal Code, the crime of burglary and the target crime (the crime I intend to commit once I’m inside) merge, which means I can’t be convicted of both. Under many modern statutes, they don’t merge; that’s because the modern trend in U.S. criminal law (anyway) is to break offenses into their separate parts and allow liability to be imposed for each part.
But for the purposes of this analysis, let’s go with the formulation of burglary as (i) trespassing on property (ii) in order to commit a crime once I’m there. It seems to me there’s something of an analogy between burglary, in this sense, and the “access” crimes like those defined by 18 U.S. Code § 1030.
And that brings me back to authorization: I think § 1030 is a kind of burglary statute. Section 1030 doesn’t make simple trespass (gaining access to a computer without being authorized to do so) a crime; it only makes computer trespass a crime if the person who trespassed into a computer system caused damage to the system or data inside it.
If I’m right about that, then the Ninth Circuit was correct in its interpretation of what it means for access to be “unauthorized” and the Seventh Circuit erred in Citrin. If we look at the “access” crimes defined by § 1030 and other statues, it seems pretty clear that they’re computer burglary statutes. As far as I can tell (based on a lot of prior research and some quick refresher research I just did), all the “access” crimes in U.S. law (and, I believe, in the “access” statutes in force in many other countries, as well) require both unauthorized access (trespass) and the commission of a crime (damaging, deleting, copying data, etc.) for the person to be held liable.
That structure of the crimes inferentially established, IMHO, that the “authorization” and “damage” analyses are separate and sequential, as I noted at the end of my last post. They operate a lot like the analysis of a burglary charge: You first have to ask if the person trespassed (gained entry to property without being authorized to do so). If they did, then you go on to the second element: whether the intended to and did commit a crime once inside. If the facts establish both elements, you have burglary. If they only establish the first element, then you have criminal trespass. And if they only establish the second element, you only have the crime the person committed once inside; so you could only charge the person with arson, murder, theft, etc.
I think that’s exactly how we should approach “access” crimes like those defined under § 1030. If the facts don’t show that the access to the system was unauthorized, then we have to prosecute the person (usually, the faithless employee) for what he or she really did, i.e., theft (copied data and took the copy), vandalism/property damage (destroyed data or altered it so it’s useless), etc.
As to charging the person with theft, some state statutes specifically criminalize “computer theft.” A Minnesota statute, for example, makes it a crime to “intentionally and without claim of right” take, transfer or retain possession of computer software or data. Minnesota Statutes § 609.89. I find it interesting that this statute has two provisions: The first makes it a crime to access a computer without authorization to steal data; the second makes it a crime to take, transfer or retain data. So what Minnesota apparently did was to create both an “access” (computer burglary) crime and a “theft” (computer theft) crime.
Out of curiosity, I checked to see if any state statutes define a separate crime of “computer damage” which could be used when the “access” element failed but the evidence proves the person damaged data. I only found a few. Minnesota (again) has a statute that makes it a crime to “intentionally and without authorization” damage or destroy a computer, computer network or computer data. Minnesota Statutes § 609.88. I found one or two similar statutes in other states, and more may be out there.
Section 1030 doesn’t have this residual option for charging someone with theft or damage . . . which is probably why the Citrin court and a few other courts have tried to expand the “authorization” element. I think it would be better to add a theft and/or damage alternative to § 1030.