As I’ve noted in earlier posts, lawyers sometimes analogize emails to postcards. As I’ve also noted, prosecutors often do this when they’re arguing that emails aren’t entitled to as much 4th Amendment protection as are sealed letters sent through the mail.
This post is about a case in which the email-as-postcard theory came up in a different context.
The case is People v. Klapper, 2010 WL 1704796 (Criminal Court – City of New York 2010), and this opinion deals with the defendant's motion to dismiss the charges against him.
The defendant – Andrew Klapper – was charged with unauthorized use of a computer in violation of New York Penal Code § 156.05. This is all I know about the facts that led to his being charged:
[D]eponent is informed by a first individual known to the District Attorney's Office that [Klapper] installed software on a computer at [Klapper]'s office that recorded the keystrokes entered by the users of said computer.
Deponent further states that deponent is further informed by a second individual known to the District Attorney's Office that said second individual was an employee at [Klapper]'s office and was instructed by [Klapper] to use only the above mentioned computer. Deponent further states that deponent is further informed by said second individual that said second individual then used the above-mentioned computer for work-related purposes, including to access and use a personal e-mail account.
Deponent further states that deponent is further informed by the first individual that the software installed by [Klapper] on the above-mentioned computer recorded the password for the e-mail account of the second individual. Deponent further states that deponent is further informed by the first individual that said first individual observed [Klapper] access the second individual's e-mail account and print copies of computer data and computer material contained within the second individual's e-mail account.
Deponent further states that deponent is further informed by the second individual that [Klapper] e-mailed said second individual an electronic document that contained portions of e-mails generated from said second individual's e-mail account. Deponent further states that deponent is further informed by said second individual that [Klapper] had no permission or authority to access said second individual's personal e-mail account or to take or use any computer data, computer material, or other electronic information stored in said second individual's personal e-mail account.
People v. Klapper, supra. The opinion says this statement of facts is taken from the “factual portion of the accusatory instrument”, which apparently was a complaint.
Section 156.05 of the New York Penal Code provides as follows: “A person is guilty of unauthorized use of a computer when he or she knowingly uses, causes to be used, or accesses a computer, computer service, or computer network without authorization.” As this opinion explains, other provisions of the Penal Code define three relevant terms:
A computer is defined as `a device or group of devices which, by manipulation of electronic, magnetic, optical or electrochemical impulses, pursuant to a computer program, can automatically perform arithmetic, logical, storage or retrieval operations with or on computer data, and includes any connected or directly related device, equipment or facility which enables such computer to store, retrieve or communicate to or from a person, another computer or another device the results of computer operations, computer programs or computer data.’ [New York Penal Code §] 156.00. A computer service includes `any and all services provided by or through the facilities of any computer communication system allowing the input, output, examination, or transfer, of computer data or computer programs from one computer to another.’ [New York Penal Code §] 156.00. . . . [T]o access a computer, computer service or computer network means `to instruct, communicate with, store data in, retrieve from, or otherwise make use of any resources of a computer, physically, directly or by electronic means.’ [New York Penal Code §] 156.00.
People v. Klapper, supra. New York Penal Code § 156.00 defines “without authorization” as
to use or to access a computer, computer service or computer network without the permission of the owner . . . or someone licensed or privileged by the owner . . . where such person knew that his or her use or access was without permission or after actual notice to such person that such use or access was without permission. It shall also mean the access of a computer service by a person without permission where such person knew that such access was without permission or after actual notice to such person, that such access was without permission.
Klapper argued that the “accusatory instrument” didn’t allege facts sufficient to
establish a prima facie case to support the charge of unauthorized use of a computer. . . . [He] argues that the factual allegations fail to identify with specificity the email account allegedly accessed or any other facts to support that the alleged access was unauthorized, inasmuch as the complaint fails to state whether the email account was complainant's personal-work email account or a `private personal’ email account. Moreover, [Klapper claims] the allegations are devoid of facts to support that complainant had an expectation of privacy with regard to email use at work since [Klapper] owned the computer and complainant was [his] employee.
Klapper therefore argued that the court should dismiss the complaint as substantively inadequate. People v. Klapper, supra. The prosecution – the People – opposed the motion to dismiss, claiming the factual allegations in the complaint were sufficient to
support the charge. First, the People contend that the allegations that [Klapper] was (1) observed by another employee installing keystroke-tracking software on a computer, (2) that he instructed complainant to use said computer, (3) that complainant did use said computer `for work-related purposes, including to access and use a personal email account’, and (4) that [Klapper] was later observed accessing said email are sufficient to support the charge, as the allegations provide [him] with the conduct and crime that he is alleged to have committed. Second, the People contend that the question of whether [Klapper] as an employer had the authority to access the email account is an issue of fact for trial, as the complainant's use of the computer for work-related purposes goes to the weight, not the sufficiency of the charges.
People v. Klapper, supra.
The People lost: The judge held that the factual allegations in the complaint weren’t sufficient to “establish the element of `without authorization,” so the complaint was “jurisdictionally defective”, i.e., it didn’t charge a crime. People v. Klapper, supra. He explained that the allegations that Klapper “installed keystroke-tracking software and viewed email” were “legally sufficient to establish” that he “knowingly . . . accessed a computer”. People v. Klapper, supra. He also found that “based on the circumstances, herein, the allegations” were insufficient to show Klapper “acted without authorization.” People v. Klapper, supra.
[I]t is not contested that [he] owned the computer, as the allegations clearly state that the keystroke tracking software was installed `on a computer at the defendant's office.’ The allegations further state that the complainant was `an employee at the defendant's office’ and complainant used said `computer for work-related purposes, including to access and use a personal e-mail account.’ [But the complaint does] not allege that [Klapper], the computer owner, had notice of any limited access to the computer or the email account. The allegations further fail to allegation that complainant had installed a security device to prevent unauthorized access or use. Conversely, the allegations state that [Klapper] sent an email to complainant containing documents from her email account, which supports an inference that [he] did not have notice or at minimum had a reasonable belief that his access was not prohibited or limited.
People v. Klapper, supra. And that brings us to the email-as-postcard issue:
Whereas, some may view emails as tantamount to a postal letter which is afforded some level of privacy, this court finds . . .emails are more akin to a postcard, as they are less secure and can easily be viewed by a passerby. Moreover, emails are easily intercepted, since the technology of receiving an email message from the sender, requires travel through a network, firewall, and service provider before reaching its final destination, which may have its own network, service provider and firewall. An employee who sends an email, be it personal or work related, from a work computer sends an email that will travel through an employer's central computer, which is commonly stored on the employer's server even after it is received and read. Once stored on the server, an employer can easily scan or read all stored emails or data. The same holds true once the email reaches its destination, as it travels through the internet via an internet service provider. Accordingly, this process diminishes an individual's expectation of privacy in email communications.
People v. Klapper, supra. The judge seems to use this analogy to buttress the point he made earlier, i.e., that Klapper knew he didn’t have authority to access the computer and/or email account. To convict Klapper of violating New York Penal Code § 156.05, the prosecution would have had to prove that he (i) knowingly (ii) accessed (iii) a computer (iv) without being authorized to do so. This judge found that, at a minimum, the “accusatory instrument” – the criminal complaint – didn’t adequately alleged that Klapper knowingly accessed a computer without being authorized to do so. (It looks to me like he also, at least implicitly, found that the complaint didn’t adequately allege that Klapper accessed a computer without being authorized to do so, but the failure to plead knowledge seems to be the primary basis of the opinion.)
I think the paragraph that utilizes the email-as-postcard analogy is probably what we lawyers call dictum: comments a judge includes in his opinion but that are not a substantively essential part of the decision. It almost looks like an aside to me.