In the U.S., the federal system and every state make it a crime to gain "unauthorized access" to a computer system. This crime reaches the conduct a noted above: an outsider who is not supposed to be able to access a computer system gains access by compromising the security that was supposed to keep him out.
There is, though, another kind of "unauthorized access," one that is outlawed in many states and, in some forms, at the federal level, as well. This takes the form of an insider's exceeding the access she legitimately has to a computer system. This type of conduct can be problematic for the law because you are dealing with someone who is authorized to access a computer system, at least for certain purposes; the question of criminal liability arises when she either goes beyond the scope of her authorized access or uses her authorized access for illegitimate purposes.
For example, on October 18, 2001, Philadelphia Police Officer Gina McFadden was on patrol with her partner. That day, the computer in McFadden's patrol car, likek the computer in all the other patrol cars, was broadcasting a message about a missing truck containing hazardous materials. For some incomprehensible reason, at 1:00 that afternoon McFadden used the computer in her patrol car to transmit a message that ostensibly came from terrorists; in profane language, the message stated that it was frome people who hated America had "antrhax in the back of our car". (State v. McFadden, 850 A.2d 1290 (Pa. Super. Ct. 2004)). The investigation launched into this transmission focused on McFadden, who ultimately admitted sending the message.
She was charged with an convicted of "intentionally and without authorization" accessing a computer system. (18 Pa. Cons. Stat. Ann. sec. 3933(a)(2)). McFadden argued that she was improperly convicted because she was authorized to use the computer in her patrol car. The appellate court rejected this argument, explaning that while McFadden was authorized to access the computer for purposes "of official police business, she was not authorized to access the computer for any other purposes. . . . She certainly was not authorized to access the computer for the purpose of distributing a message which implied that a Philadelphia police car had been contaminated with anthrax by terrorists." (State v. McFadden, 850 A.2d 1290 (Pa. Super. Ct. 2004)).
What the court did not explain, of course, is precisely how McFadden knew she was not authorized to do this; common sense tells us that her conduct was beyond the pale, but common sense cannot substitute for legal standards when criminal liability is at issue. McFadden's crime is more accurately described as "exceeding authorized access." This captures the "insider" aspect of the offense. We do not know if she sent the bizarre message because she was angry at the police department that employed her and wanted to strike back, or whether she simply had an unfortunate sense of humor.
There are many "insider" cases, but one from Georgia captures the peculiar difficulties that can arise when a trusted insider goes rogue. Some years ago, Sam Fugarino worked as a computer programmer for a company that designed software for surveyons. (Fugarino v. State, 243 Ga. App. 268, 531 S.E.2d 187 (Ga. App. Ct. 2000)). He had become a "difficult" employee, but went around the bend when the company hired a new worker, in a completely unrelated position.
Sam became visibly upset, telling a co-worker that the "code was his product" and "no one else was going to work on his code". The other employee saw that Sam was deleting massive amounts of files, so that whole pages of code were disappearing before this employee's eyes. The employee ran to the owner of the company, who came to Sam's desk. Sam told the owner that the "code was his" and that the owner would never "get to make any money" from it. The owner managed to convince Sam to leave the premises, but then discovered Sam had added layers of password protection to the computer system, the net effect of which was to lock the owner and other employees out of the program Sam had been designing.
The upshot of all this was that Sam was charged with "computer trespass" under Georgia law. More precisely, he was charged with using a computer system "with knowledge that such use is without authority" and deleting data from that system. (Ga. Code sec. 16-9-93(b)). Sam was tried, convicted and appealed, claiming that his use of the computer system was not "without authority". Sam, of course, had full access to the computer system; and as a programmer whose job was developing software, he was authorized to use his access not only to write code but also to delete code.
The Georgia appellate court upheld Sam's conviction, using a common-sense, "you should have known what you were doing was wrong" approach very similar to that used by the McFadden court. It noted that at trial the owner of the company testified he had not given Sam authority to delete "portions of the company's program" . . . which ignores the fact that Sam clearly did have authority to do precisely this.
The issue is one of degree: Sam was authorized to delete program code as part of his work developing software; the problem is that he clearly went too far, that he was apparently bent on erasing all of the program code. Clearly, the owner had not specifically told Sam that he was not authorized to delete an entire program; the need to do so had probably never occurred to him.
The Fugarino case illustrates a difficult question that arises when "insiders" are prosecuted for "exceeding authorized access." How, precisely, is someone to know when exceeds authorized access? Relying on the common-sense, "you-should-have-known-it-when-you-did-it" approach taken by these courts is, I would argue, quite unsatisfactory. The over-the-top nature of the ocnduct at issue in these cases may make the approach seem reasonable, but in fact it is not.
Every organization has a host of trusted "insiders" who have authorized access, in varying degrees, to the organization's computer system. Like Sam's employer, most organizations seem to assume that insiders understand the scope of their authorized access and will abide by that understanding. This assumption no doubt derives from our experience with physical security. it is relatively easy to deny employees access to physical spaces; physical boundaries are fixed and obvious. Assume Sam had a key to his own office, but not to his employer's office. If Sam had been found in his employer's (formerly) locked office shredding documents, he could not credibly have claimed that his "access" to the office and the files locked inside was "authorized." It would be reasonable to infer from his conduct (somehow breaking into a locked office) that he knew he was not authorized to be there, that he was doing something "wrong."
Virtual boundaries tend to be invisible and mutable. In a literal sense, Sam did nothing he was not authorized to do; he did not (virtually) break into a locked area and attack data shielded inside. He was authorized to delete code and he deleted code.
As a matter of simple fairness, criminal law demands that one be put on notice as to what is, and is not, forbidden. The question raised by cases like these is precisely how we do this for the "insiders" who legitmately have access to our computer systems.
Your summary is incorrect. I did not get upset and leave. I told my boss that I was going to leave, packed my brief case and left. No files were deleted. He asked me what he could do to make me stay. Later that evening, I returned to work. An argument started in which I told him that I felt like he was taking advantage of me. It is at that point that he fired me and called the police. I did not delete any files, or for that matter, even start the work station. All this happened on a Friday.
That night I spoke with my twin brother and told him what had happened. A few days later, he called me and told me that Cowherd had called him and wanted the passwords to the computer. I was quite angry that he called my brother. He called him at work. He knew my brother worked for a local company's plant in Merced California. He actually called him before speaking with me or my wife.
The operating system was Windows NT 3.51, but the disk was formatted with FAT32. He really didn't need the passwords. Besides, I installed the operating system on the computer and hadn't been given any guidance on company passwords.
About a month went by before I was arrest. The police did a search of the computer, but did not look in the directory in which I did my devlopment. I was found guilty based on a snow job by the DA. They presented files in the recycle bin, most of which were object files created and deleted by the Microsoft compile I used. They then gave the computer back to Cowherd weeks before I was arrested.
One thing that is certain from the printouts the police produced. Someone created at least one file and deleted it after I left and before the company turned the computer over to the police.
Ironically, the dates the DA used at trial where dates the files were last modified, not deleted. In otherwords, there was absolutley no proof that I deleted anything.
Everything I said in this post comes from the decision I cited in the post. If you have problems with that, you need to contact the court.
As to the conviction's being set aside, I checked on Lexis and did not find any information about what happened afterward. The omission was therefore not deliberate. Indeed, I would have been happy to include that fact in the post . . . and have now done so, in effect, by posting your comment.
If you want to post any further comments as to errors in the court's opinion and/or in my post, I will post them once I receive them.
On March 4, of 2000, the Court of Appeals of Georgia published its opinion in Fugarino v. State, 243 Ga.App. 268, 531 S.E.2d 187. The Court begins its opinion by explaining that
Sam Emile Fugarino was convicted by a jury of computer trespass, Code of Georgia § 16-9-93(b), for using a computer with the intention of deleting or removing data from that computer without authority of the computer's owner. Fugarino appeals from the trial court's order denying his motion for new trial, arguing the general grounds and that a mistrial should have been granted due to juror misconduct. We affirm.
The Court of Appeals, Ellington, J., held that: (1) evidence was sufficient to support conviction, and (2) defendant was not entitled to mistrial based on alleged juror misconduct.
The Court of Appeals’ decision in this case is available here:
