Monday, March 08, 2010

"Unauthorized Access" Strictly Construed

As I’ve explained in earlier posts, there are two different kinds of computer trespass (or hacking) crimes: Accessing a computer without being authorized to do so (outsider attack) and exceeding the scope of one’s authorized access to a computer (insider attack).

As I’ve also explained, courts find it easy to parse crimes that fall into the first category, since here we’re talking about someone who has NO right to access the computer or computer system at issue. Courts have had much more difficulty parsing the “exceeding authorized access” crime because here the accused had the right to access part of the computer or computer system; the problem is that he/she went too far and accessed parts of the computer or computer system which he or she wasn’t authorized to access.

Most of the posts I’ve done on the “unauthorized access” and “exceeding authorized access” crimes have dealt with federal cases that were brought under the general federal computer crime statute – 18 U.S. Code § 1030. This post is about a state court decision that actually dealt with both types of illegal access. The case is State v. Riley, 2009 WL 5879349 (Superior Court of New Jersey 2009), but before I get to the case, I need to put the issues and the state court’s authority to decide those issues into context.

Some people may believe that federal courts are “superior” to state courts, i.e., that a federal court’s decision on an issue binds a state court. That sometimes true, and sometimes not. As Wikipedia notes, “state courts are not subordinate to federal courts. Rather, they are two parallel sets of courts with different often overlapping jurisdiction.” Each is supreme in its particular area: State courts are supreme when it comes to interpreting state law; as Wikipedia notes, federal courts must defer to state courts when it comes to interpreting state law. Conversely, federal courts are supreme when it comes to interpreting federal law, such as Constitutional provisions or federal statutes like 18 U.S. Code § 1030.

The opinion this post deals with was issued by a New Jersey Superior Court. As far as I can tell, this particular Superior Court is a trial court, not an appellate court. The judge still, though, has the authority under Section III(2) of the New Jersey state Constitution to interpret New Jersey law in a fashion that is binding on authorities in New Jersey unless and until its decision is reversed by a higher court.

And that brings us to the case against Sergeant Kenneth Riley, a New Jersey police officer. Riley was charged with two offenses under New Jersey’s computer crime law:

[A] person commits a . . . crime if he knowingly or purposely accesses computerized data without authorization or in excess of authorization. [New Jersey Statutes 2C:20-25(a)]. A person also commits a . . . crime if he so accesses data and then knowingly or recklessly discloses it. [New Jersey Statutes 2C:20-31(a)]. [Riley’s] motion to dismiss the indictment requires the court to determine, as a matter of first impression, whether the law covers employees who enjoy password-protected access to computerized information, but who view or use such information in ways or for purposes that their employer prohibits.

State v. Riley, supra. A “matter of first impression” is an issue a court hasn’t addressed before, which means there’s no direct precedent guiding this court in its decision. This is how Riley came to be indicted:

[Riley] twice viewed a digitally stored video of a motor vehicle stop conducted by three other police officers in the early morning hours of January 6, 2008. The stop involved a driver suspected of driving under the influence of intoxicating liquors. Participating in the stop were Princeton Borough Police Sergeant Robert Currier, and Patrolmen Garrett Brown and William Perez. Also near the scene was Patrolman Mervyn Arana. Brown and Arana were assigned to defendant's squad at the time, and subject to his general supervision. Brown assisted Currier with the motor vehicle stop. During the stop, Currier allowed the suspect to urinate in nearby bushes.

The video was recorded on a computerized system that automatically downloaded digitally recorded traffic stops to the Borough Police Department's computer system. All sergeants, including [Riley], had passwords that enabled them to view any such digital recordings. According to one witness, `the only practical way to enter the computer system containing the recordings was to use `an administrative officer's password or a sergeant's password.’ A sergeant could use his password to access the entire MVR database. [Riley] learned of the permitted urination, and believed that Currier had violated law and policy. . . .

The State presented evidence that [Riley] used his password to view the recording of the traffic stop on January 6, 2008 and January 8, 2008. He also permitted police personnel below sergeant's rank to view the video. And his motivation for doing so, according to . . . the State, was not to train officers . . . but to cause injury to Currier, by subjecting him to embarrassment and discipline. Evidence also was presented that [Riley] attempted to mislead superiors about when and why he viewed the video of the traffic stop.

The State also presented evidence that defendant violated the department's policy and procedures for the proper use of mobile video and audio equipment (`MVR Policy’).

State v. Riley, supra. The opinion reviews the policy and procedures in detail and then summarizes them as follows:

[T]he policy's explicit grants of authority to sergeants were exclusive of any other authority. Thus, the policy only permitted sergeants to view tapes randomly of their subordinate officers for training purposes. They could not view tapes for any other purpose. They could not even view a tape of a subordinate while acting under the command of another sergeant. Also, the policy prohibited a sergeant from accessing a recording of another sergeant's stop.

State v. Riley, supra. The State claimed Riley “gained entry to the MVR database, and viewed the recordings of Currier's stop, for a purpose not permitted by the MVR Policy” and therefore “accessed data without authorization or in excess of authorization.” State v. Riley, supra. In ruling on the State’s argument, the court noted, first, that it is not clear from the language of the relevant statutes

what it means . . . to access computerized data . . .`without authorization’ or `in excess of authorization.’ It is also unclear whether unauthorized access may be proved solely with evidence that a defendant, who is an employee or other `insider’ with current password-access, knowingly violated internal guidelines regarding use of computer-based information. (By “unauthorized,” this court refers to actions without authorization or in excess of authorization.) . . .

One can posit a member of the information technology (I.T.) department of a business who possesses all the employees' passwords in order to maintain the business's computer system, but internal policy directs him not to read employees' documents. In one sense, the I.T. professional is authorized to access every employee's files. If a worker asks the I .T. professional to help retrieve a sensitive trade-secret-related document that the worker accidentally deleted, the I.T. professional can do so, using the passwords already provided to him. In another sense, if the I.T. professional reads the worker's document, he may be acting in excess of his authorization. Reference to the plain language of the statute does not clearly indicate which reading is correct.

State v. Riley, supra. As to how this issue should be resolved, the court explained that

[o]n one hand, the definitions of `authorization’ and `access’ can be read broadly to expand the statute's reach. . . . `[A]uthorization’ can be read to refer not simply to a password or other code-related powers to enter or utilize a computer, but also to include permission to use information once entry is achieved. . . .

On the other hand, [New Jersey Statutes 2C:20-25(a)] may -- and this court ultimately concludes, should -- be read more narrowly. One may construe `authorization’ to refer only to a password, or other code-based restrictions to utilizing a computer. Thus, the I.T. worker posited above did not access the document without, or in excess of authorization. The worker had the password. Thus, he had the `permission, authority or consent’ to enter the employee's document files.

State v. Riley, supra (quoting New Jersey Statutes 2C:20-23(a)). The judge then noted how New Jersey law on this issue differs from federal law:

Federal law defines `exceeds authorized access,’ to mean `to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter.’ 18 U.S. Code § 1030(e)(6). That also is not unambiguous, as one may ponder what it means to be `not entitled to obtain or alter data. Arguably, one is entitled if he has a password or code-based right to obtain or alter the data. . . .

New Jersey did not adopt the federal definition. In [New Jersey Statutes 2C:20-25(a)] `in excess of authorization’ simply modifies `access.’ Thus, according to a narrow reading, the statute does not cover `use’ in excess of authorization. Rather, it covers a situation where someone has password or code-based permission to enter certain databases but not others, but hacks his way into a second level within the computer data base. If the Legislature wanted to cover persons who acted in excess of authorization to use data, as opposed in excess of authorization to access data, it could have said so.

State v. Riley, supra.

After reviewing the legislative history for the New Jersey statutes and examining cases from other jurisdictions, the court concluded that “unauthorized access under [New Jersey law] does not encompass entry into a computer database by an insider with a current password.” State v. Riley, supra. The judge explained that the State’s theory

depends on reading the computer crime act to criminalize what amounts to breach of employment contracts, or even less formal employment policies, governing use of workplace computers by insiders or employees already granted some level of access to them. In effect, according to the State, the criminal law has incorporated by reference those often unclear and informal workplace policies. Actual notice to employees, let alone their explicit acceptance, is often non-existent.

State v. Riley, supra. The judge then explained why he found the State’s argument unacceptable as a matter of policy:

Other violations of internal policies are conceivable. Library users may abuse a policy on public computers by staying online too long. . . . An employee might share company data with co-workers . . . who are not supposed to see the data (but do not further disclose it). Concededly, [Riley] is charged with actions that one might view as more serious. The police department's policies regarding use of MVRs were designed in part to maintain the integrity of evidence. However, there was no allegation that the evidence in this case was damaged or impaired in any way, or that defendant Riley compromised the State's ability to prosecute the driver in Sergeant Currier's motor vehicle stop. . . .

[A]ssuming that a broad range of the population violates internal workplace computer use policies at one point or another, deeming such violations a crime would empower the State, unguided by firm definitional standards, to . . . prosecute whomever it wishes from that broad cross-section of the population. . . . [T]he criminal law should not be some pliable material the State may bend and mold at will to fit an unwarned defendant.

State v. Riley, supra. The judge therefore dismissed the four “access” counts in the indictment, leaving Riley charged with two counts of “official misconduct”. State v. Riley, supra.

This opinion is binding law in New Jersey but it does not apply to federal agents or prosecutors. So if someone in New Jersey is charged with exceeding unauthorized access under New Jersey law, this precedent applies; if he’s charged with unauthorized access in violation of 18 U.S. Code § 1030, this decision isn’t binding precedent but a federal judge could consider the court’s reasoning in ruling on a motion to dismiss that charge.


David Schwartz said...

It's a good thing we have some sanity here. It is simply ridiculous to argue that violating policy can translate into a criminal violation of the law.

What if my workplace has an official policy that you can't use workplace computers "to do bad stuff, in the sole judgment of your employer". Does that make "bad stuff" a crime?

Legislatures have to write criminal laws such that we can read the law and understand what is prohibited.

Loki said...

I agree - this was a well thought out decision by the judge, and follows the results of the Drew case (U.S. v. Drew, 08-CR-582)