This post examines an opinion from the Court of Appeals of Michigan: People v. Glenn, 2016 WL 2731098 (2016). The court begins the
opinion by explaining that
Defendant appeals by right his
conviction, following a jury trial, of unauthorized access of a computer, [Michigan Compiled Laws] 752.795(a). Defendant was sentenced to two years' probation. We
affirm.
People v. Glenn,
supra.
The Court of Appeals goes on to explain how and why the
prosecution arose, what it involved and why Glenn was convicted:
Defendant, an officer with the United States Customs and Border Patrol (CBP), worked at the Canada–United States
border in Detroit, Michigan, during the relevant year of 2013. On January 11,
2013, Amanda Shovlin, with whom defendant had a personal relationship, crossed
the border from Canada into the United States, but was detained for secondary
inspection prior to entry.
Defendant was not at work that day, but
returned to work on January 14, 2013. Video surveillance of the office, in
addition to computer monitoring, revealed that defendant searched his TECS computer for Shovlin's name contrary to CBP's TECS use policy, which prohibited
officers from searching for information regarding family members and close
associates. The policy states in pertinent part:
`Field Operations employees shall not
engage in official business involving a family member or a close associate
except in the limited circumstances described in 6.2.3 of this section.
* * *’
`Should circumstances arise in which no
disinterested field operation employee is on duty and no supervisor on duty[,]
a CBP employee is authorized to conduct business with close family or
associates as provided under [sic] and list the management directive number.
Further, when an employee accesses the
TECS system, a warning banner is displayed on the screen. The banner states the
following:’
`You are accessing a [US] off [sic]
government information system which includes this computer, the computer
network, all computers connected to this network and all devices and storage
media attached to this network or to a computer on this network.’
`This information system is provided
for U.S. government authorized use only.’
`Unauthorized or improper use or access
of this system may result in disciplinary action, as well as civil and criminal
penalties. By using this information system. . . . you understand and consent
to the following:’
`You have no reasonable expectation of
privacy when you use this information system. This includes any communications
or data transiting stored on, originated from or directed to this information
system.’
`At any time, and for any lawful
government purpose[,][t]he government may monitor, intercept, search and seize
any communication or data transiting, stored on, originated from or directed to
or from this information system.’
`The government may disclose or use any
communication or data transiting stored on[,] originated from or directed to or
from this information system for any lawful government purpose.’
`You are not authorized to process
classified information on this information system.
Defendant was convicted of unauthorized
access of a computer contrary to [Michigan Compiled Laws] 752.795(a).’
`This
appeal followed.’
People v. Glenn,
supra.
The court goes on to explain that
Defendant argues that he should not
have been bound over for trial because the prosecution failed to present
evidence establishing probable cause that he had violated [Michigan
Compiled Laws] 752.795(a).and also that the statute does not even apply to the
conduct of which defendant was found guilty—violation of an internal computer
`use’ policy. We disagree.
People v. Glenn,
supra.
Next, the court outlined the “standard of review” it uses in
reviewing the result in the cases that come before it:
We review `for an abuse of discretion a
district court's decision to bind over a defendant.’ People v. Hudson, 241
Mich.App 268, 276; 615 NW2d 784 (2000). `A circuit court's decision with
respect to a motion to quash a bindover order is not entitled to deference
because this Court applies the same standard of review to this issue as the
circuit court.’ Id. `An abuse of discretion occurs when the
court chooses an outcome that falls outside the range of reasonable and
principled outcomes.’ People v. Unger, 278 Mich.App 210, 217;
749 NW2d 272 (2008). Furthermore, `[a] trial court necessarily abuses its
discretion when it makes an error of law.’ People v. Waterstone, 296
Mich.App 121, 132; 818 NW2d 432 (2012). However, `[t]he decision whether
alleged conduct falls within the statutory scope of a criminal law involves a
question of law, which this Court reviews de novo.’ People v. Noble, 238 Mich.App 647, 658; 608 NW2d
123 (1999).
People v. Glenn,
supra.
The opinion then takes up the issue of the “bindover” of
Glenn. As a site dedicated to U.S. law and legal terms explains,
`The term `bind over' refers to hold a
person for trial on bond (bail) or in jail. If the judicial official who
conducts a hearing finds probable cause to believe that the accused committed a
crime, then the official will bind over the accused, normally by setting bail
for the appearance of the accused at trial. Binding over means to order a
defendant to be placed in custody pending the outcome of a proceedings against
him or her; `The defendant was bound over for trial'. This is a state
court procedure.’
Getting back to the opinion, the court then explains that
[t]o bind a defendant over to circuit
court, the magistrate at a preliminary examination must `determine whether a
felony was committed and whether there is probable cause to believe the
defendant committed it.’ People v. Yost, 468 Mich. 122,
125–126; 659 NW2d 604 (2003). Probable cause exists where the evidence is `sufficient
to cause a person of ordinary prudence and caution to conscientiously entertain
a reasonable belief of the accused's guilt.’ Id. at 126 (citation
and quotation marks omitted). `In order to establish that a crime has been
committed, the prosecution need not prove each element beyond a reasonable
doubt, but must present some evidence of each element.’ People v..
Redden, 290 Mich.App 65, 84; 799 NW2d 184 (2010). Additionally, `[i]f
the evidence conflicts or raises a reasonable doubt concerning the defendant's
guilt, the defendant should nevertheless be bound over for trial, at which the
trier of fact can resolve the questions.’ Id.
People v. Glenn,
supra.
The Court of Appeals then explains that the statute under
which Glenn was charged provides the following:
`A person shall not intentionally and
without authorization or by exceeding valid authorization do any of the
following:’
`(a) Access or cause access to be made
to a computer program, computer, computer system, or computer network to
acquire, alter, damage, delete, or destroy property or otherwise use the
service of a computer program, computer, computer system, or computer network.
MCL 752.792 further provides the
following relevant definitions:’
`(1) “Access” means to instruct,
communicate with, store data in, retrieve or intercept data from, or otherwise
use the resources of a computer program, computer, computer system, or computer
network.’
* * *
`(3)
“Computer” means any connected, directly interoperable or interactive device,
equipment, or facility that uses a computer program or other instructions to
perform specific operations including logical, arithmetic, or memory functions
with or on computer data or a computer program and that can store, retrieve,
alter, or communicate the results of the operations to a person, computer
program, computer, computer system, or computer network.’
`(4) “Computer network” means the
interconnection of hardwire or wireless communication lines with a computer
through remote terminals, or a complex consisting of 2 or more interconnected
computers.’ . . .
People v. Glenn,
supra.
The opinion goes on to explain that
[t]he unambiguous language of the
statute makes clear that a violation has occurred when a defendant has: (1)
intentionally and (2) without authorization or by exceeding valid authorization
(3) accessed or caused access to be made to a computer program, computer,
computer system, or computer network (4) to acquire, alter, damage, delete, or
destroy property or otherwise use the services of a computer program, computer,
computer system, or computer network.
The only published case from this Court
substantially discussing MCL 752.795 is People v. Golba, 273
Mich.App 603; 729 NW2d 916 (2007). There, the main issue was whether the
64–year–old defendant's conviction under MCL 752.795(a) for using
school computers to
send pornography and emails of
a sexual nature to a 16–year–old student was a `sexual offense’ and thus a
`listed offense’ under the sex offenders registration act (SORA), MCL
28.721 et seq. Id. at 605, 611–612. In addressing
that issue, this Court at least tacitly concluded that the violation of
`internal use’ policies satisfied the `without authorization’ and `exceeds authorized access’
elements of MCL 752.795(a):
In the present case, the evidence
introduced at trial supported the trial court's findings that defendant
violated the school's computer acceptable
use policy by downloading pornography on his school computer and that he viewed the
pornography on the computer in
the presence of a 16–year–old female student. The evidence also supported the
trial court's finding that defendant used the computer to solicit sex from the student. . . . The policy
expressly prohibits users from accessing pornographic materials or
inappropriate text files and prohibited users from sending or receiving e-mails that contained `pornographic material’ or
`inappropriate information.’ Defendant's conduct was sufficient to support a
finding that he intentionally and without authorization, or by exceeding valid
authorization, accessed or caused access to be made to the computer in violation of MCL
752.795. [Id. at 611–612.]
Golba therefore permits `internal
use’ policies to define the contours of `without authorization’ and `exceeds authorized access’
in the context of MCL 752.795(a).
People v. Glenn,
supra.
Since MCL 752.795(a) creates an offense that is at least
similar to the federal crime that is created by the Computer Fraud and Abuse Act [CFAA], 18 U.S. Code § 1030(a)(1), which makes it a federal crime to
“access a computer “without authorization or [by] exceeding authorized access”, the Court of Appeals went on to
review how federal courts of appeal have applied the second option in §
1030(a)(1). People v. Glenn, supra.
It began by explaining that
[i]n United States v. Nosal, 676
F3d 854 (CA 9, 2012), for example, the United States Court of Appeals for the Ninth Circuit, in interpreting a provision of the CFAA with similar language,
and applying the rule of lenity, concluded that the phrase `exceeds authorized access’
does not extend to violations of employer computer use restrictions, but rather only to individuals
whose initial access to
a computer is
authorized but who accesses information
and files that they are not authorized to access. The Second Circuit reached a similar conclusion in United
States v. Valle, 807 F3d 508, 523–528 (2015), in interpreting a
different portion of the CFAA that also used the phrase `exceeds authorized access.’
Other circuits have reached contrary conclusions. See, e.g., United
States v. John, 597 F3d 263, 272 (U.S. Court of Appeals for the 5th Circuit 2010) (holding that employee exceeded authorized access when she
accessed information from her employer's database in violation of her
employer's use policy); EF Cultural Travel BV v. Explorica, Inc, 274
F3d 577, 583–584 (U.S. Court of Appeals for the 9th Circuit 2001) (holding that violation of an employer's
confidentiality agreement was possibly `exceeding authorized access’); United States v.
Rodriguez, 628 F3d 1258, 1260–1263 (CA 11, 2010) (holding that
the defendant exceeded authorized access when
he accessed his employer's (Social Security Administration) customer data
against office policy to find women to whom to send flowers).
People v. Glenn,
supra.
The Court of Appeals went on to explain that
[t]hese decisions of federal courts,
interpreting a federal statute, are of course not binding on this Court in its
interpretation of state law, although they may be persuasive. See Abela
v. General Motors Corp, 469 Mich. 603, 606–607; 677 NW2d 325 (2004).
And, in the instant case, we see no need to determine the full range of conduct
to which MCL 752.795 applies. It is undisputed that, while defendant
was authorized to access the TECS database generally as part of his job, he was
explicitly prohibited from accessing any information relating to family members
or close associates. The information he accessed regarding Shovlin was thus
information he was not authorized to access. Defendant in fact was aware that
he was not permitted to access information regarding persons with whom he had a
current or previous dating relationship, as he had on one previous occasion
informed his supervisor that he had been in a dating relationship with a woman
who had been selected for secondary inspection and did not query the TECS
database regarding her; although the supervisor testified that he and defendant
did not specifically discuss whether defendant was authorized to query this
particular person, he testified as to the general policy prohibiting querying
known associates.
Further, the trial court heard
testimony that defendant had inquired about this policy in 2010, that he spoke
with Special Agent Koshorek of the Department of Homeland Security, and that
she informed him that he was not supposed to query `known associates or family
members’ in TECS and emailed him a copy of the relevant portions of the TECS
use policy. Thus, even if we were to adopt a narrow construction of the phrase
`exceeding valid authorization’ under the rationale of the Ninth and Second
Circuits, defendant's conduct would fall within the conduct prohibited by the
statute. Therefore we conclude that MCL 752.795 applies to
defendant's conduct in accessing the TECS system to search for information
regarding a close associate. Golba, 273 Mich.App at 611–612.
The computer use policy and banner made it clear to defendant that his use was
unauthorized and that he could be subjected to criminal penalties. . . . .
People v. Glenn,
supra.
The court went on to outline its analysis and its holding in
this case:
These decisions of federal courts,
interpreting a federal statute, are of course not binding on this Court in its
interpretation of state law, although they may be persuasive. See Abela
v. General Motors Corp, 469 Mich. 603, 606–607; 677 NW2d 325 (2004).
And, in the instant case, we see no need to determine the full range of conduct
to which MCL 752.795 applies.
It is undisputed that, while defendant
was authorized to access the TECS database generally as part of his job, he was
explicitly prohibited from accessing any information relating to family members
or close associates. The information he accessed regarding Shovlin was thus
information he was not authorized to access. Defendant in fact was aware that
he was not permitted to access information regarding persons with whom he had a
current or previous dating relationship, as he had on one previous occasion
informed his supervisor that he had been in a dating relationship with a woman
who had been selected for secondary inspection and did not query the TECS
database regarding her; although the supervisor testified that he and defendant
did not specifically discuss whether defendant was authorized to query this
particular person, he testified as to the general policy prohibiting querying
known associates. Further, the trial court heard testimony that defendant had
inquired about this policy in 2010, that he spoke with Special Agent Koshorek
of the Department of Homeland Security, and that she informed him that he was
not supposed to query “known associates or family members” in TECS and emailed
him a copy of the relevant portions of the TECS use policy. Thus, even if we
were to adopt a narrow construction of the phrase “exceeding valid
authorization” under the rationale of the Ninth and Second Circuits,
defendant's conduct would fall within the conduct prohibited by the statute.
Therefore we conclude that MCL
752.795 applies to defendant's conduct in accessing the TECS system to
search for information regarding a close associate. Golba, 273
Mich.App at 611–612. The computer use policy and banner made it clear to
defendant that his use was unauthorized and that he could be subjected to
criminal penalties. . . .
People v. Glenn,
supra.
For these and other reasons, the Court of Appeals affirmed
Glenn’s conviction and sentence. People
v. Glenn, supra.
-->
This comment has been removed by the author.
ReplyDelete