In a post I did a couple of years ago I explained that lawyers usually analogize the crime of gaining unauthorized access to a computer to the crime of criminal trespass: In each instance, you’re doing something you’re not supposed to do and, as a result, are “harming” the owner of the computer/property in some respect.
The “harm” resulting from trespass on physical property seems to be an amalgam of privacy (if you come onto my property without my permission, you’ve violated my privacy) and my right to exclusive possession of the property. The “harm” resulting from unauthorized access to a computer system is . . . a little murkier. I think it definitely encompasses the second “harm” that justifies criminalizing physical trespass, i.e., you’re violating my exclusive right to possess and access my property (my computer/computer system, in this context). And it probably also encompasses the first “harm,” as well, because if you get into my computer system you are in a sense violating my privacy (or at least have acquired the capacity to violate my privacy by getting into the data I don’t want anyone else to know about).
I think the unauthorized access-criminal trespass analogy is far from perfect, but it’s pretty much all we have. It’s difficult, if not impossible, to develop analogies that symmetrically track digital and physical “harms” with any precision. That, however, is not the issue Lokkju Brennr raised. That issue, I think, is both more interesting and more difficult to resolve. Here it is:
The majority of the time when you do an activity, such as a sending an email, you don't know whether or not you have the authorization to do so. For instance, when I sent my initial email to you, even without going into the underlying protocol issues, I did not know if I had authorization to access your email server or not. Now, I could make an educated guess that since you published your email address, it was permissible to contact you - but I did not have any specific authorization.
Lokkju also pointed out that given this state of affairs, unauthorized access statutes effectively criminalize “all normal use of the Internet.” That’s an interesting point; I’m going to use this post to speculate a bit about Lokkju’s point and about how the law deals with it . . . and maybe even how the law might change how it deals with it.
Let’s start with an unauthorized access crime statute. The federal statute is remarkably straightforward: “[Whoever] intentionally accesses a protected computer without authorization and, as a result of such conduct, recklessly causes damage” commits a federal crime. 18 U.S. Code § 1030(a)(5)(B). As I noted in an earlier post, the federal statute does not define “access”, but a number of state statutes do.
Most states define it as “to instruct, communicate with, store data in, retrieve data from or otherwise make use of any resources of a computer, computer system or network.” Arizona Statutes § 13-2301(E)(1). California’s definition is similar but a little more elaborate: “`Access’ means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.” California Penal Code § 502(1).
Okay, U.S. states (and the criminal codes of other countries) define access. But do they define what it means to gain access “without authorization”?
Surprisingly, a few states do. Here’s how Colorado defines it: “`Authorization’ means the express consent of a person which may include an employee’s job description to use said person’s computer, computer network, computer program, computer software, computer system, property, or services as those terms are defined in this [statute.]” Colorado Revised Statutes § 18-5.5-101(1). And here’s how Hawaii defines it: “`Without authorization’ means without the permission of or in excess of the permission of an owner, lessor, or rightful user or someone licensed or privileged by an owner, lessor, or rightful user to grant the permission [to access the computer or computer system].” Hawaii Revised Statutes § 708-890. Minnesota has a slightly different and rather interesting approach to defining authorization:
`Authorization’ means with the permission of the owner of the computer, computer system, computer network, computer software, or other property. Authorization may be limited by the owner by:Minnesota Statutes § 609.87(2a). And New Hampshire throws in a new element that expands the scope of authorization:
(1) giving the user actual notice orally or in writing;
(2) posting a written notice in a prominent location adjacent to the computer being used; or
(3) using a notice displayed on or announced by the computer being used.
`Authorization’ means the express or implied consent given by a person to another to access or use said person's computer, computer network, computer program, computer software, password, identifying code, or personal identification number.New Hampshire Revised Statutes § 638:16(II). A few other states also have statutory provisions that define authorization, but they all tend to resemble one of more of these statutes.
So where does that leave us in terms of the issue Lokkju raised? When I send an email to you – to someone who didn’t email me first and whom I don’t know in the real world – how do I know if I’m accessing their email server (or, more accurately, I think, the email server that handles their email) with or without authorization?
As a matter of fact, I don’t. As a matter of fact, I simply assume I have authorization to access that server. All of the statutes quoted above define authorization as acting with the consent/permission of the owner of the computer system (the server); in so doing, they implicitly assume that the person KNOWS they are acting with the permission or consent of the owner of the system (server). Logically, I could argue that they assume (also or in the alternative) that it’s sufficient if I believe I have permission or consent to access the computer. I don’t think a subjective belief (however accurate or erroneous) works here, though, because I think the language of most of the statutes incorporate a higher standard, i.e., I think they predicate authorization as your having obtained some signal, some indication, from the owner of the system that it’s okay for you to access it. (But I could be wrong.)
The New Hampshire statute broadens that by adding “implied consent.” The other statutes expressly or (I would argue) implicitly require that there have been express consent from the owner of the system for access to be authorized. That’s why I believe they require a much higher standard than simple belief (“I thought it was ok, really I did”).
The New Hampshire statute doesn’t tell us how implied consent arises. Pennsylvania’s computer crime statute does shed a little light on this issue. It defines authorization as including “express or implied consent, including by trade usage, course of dealing, course of performance or commercial programming practices.” This language appears in a statute entitled “defense.” Here is the statute in its entirety:
It is a defense to an action brought pursuant to Subchapter B (relating to hacking and similar offenses) that the actor:18 Pennsylvania Consolidated Statutes § 7605(2). Connecticut has a similar defense to a charge of unauthorized access statute. Like the Pennsylvania statute, it bases the defense on the fact that the defendant “reasonably believed” that the owner of the computer system or the owner’s agent had authorized the access. Connecticut General Statutes § 53a-251(b)(2). The Connecticut statute, though, throws in another option: It’s also a defense if the person charged with gaining unauthorized access to a computer “reasonably could not have known that his access was unauthorized." So this statute essentially puts the risk on the owner of the system; the owner must make it "reasonably" clear access is not authorized unless you do something, have something, etc.
(1) was entitled by law or contract to engage in the conduct constituting the offense; or
(2) reasonably believed that he had the authorization or permission of the owner, lessee, licensee, authorized holder, authorized possessor or agent of the computer, computer network, computer software, computer system, database or telecommunication device or that the owner or authorized holder would have authorized or provided permission to engage in the conduct constituting the offense. As used in this section, the term `authorization’ includes express or implied consent, including by trade usage, course of dealing, course of performance or commercial programming practices.
So where does that leave us? It’s pretty clear that U.S. law, anyway, doesn’t address the issue Lokkju raised, i.e., the problem of letting someine know whether their access is authorized prior to their act of accessing a system. It looks like a few U.S. states (New York has a statute similar to the Pennsylvania defense statute) deal with this issue by giving someone charged with unauthorized access the ability to use their belief that they were authorized to use the system as an affirmative defense. In U.S. criminal law, when someone raises an affirmative defense to a charge, they admit they committed the crime but use the defense to argue that they shouldn’t be convicted. Self-defense and insanity are affirmative defenses; someone charged with murder can concede that they killed the victim but argue that they are not guilty of murder because they acted in self-defense or were insane at the time.
Does that approach seem reasonable? If not, any alternatives?