Can you imagine being prosecuted for checking personal email while at work because your employer says you can only use your computer for “company business”? Of course not. Violating a company rule is not—and should not be—a computer crime. Prosecutors have tried to use the federal Computer Fraud and Abuse Act (CFAA) and parallel state criminal laws to target violations of company rules, but courts are increasingly calling foul on the misuse of statutes intended to criminalize computer break-ins.
The Oregon Supreme Court is one of them, saying “no” to prosecutors who tried to hold Caryn Nascimento liable under Oregon’s computer crime law for a violation of her employer’s computer use policy. EFF filed an amicus brief in the case, State v. Nascimento, and the court specifically cited our argument that “the state’s reading of the statute—which arguably criminalizes any computer use in violation of an employer’s personnel or computer use policies—is unworkably broad because it gives private entities the power to decide what conduct in the workplace is criminal and what is not.”
Nascimento worked as a cashier at the deli counter of a convenience store. As part of her job, she was authorized to access a lottery terminal in the store to sell and validate lottery tickets for paying customers. Store policy prohibited employees from purchasing lottery tickets for themselves or validating their own lottery tickets while on duty. A store manager noticed a discrepancy in the receipts from the lottery terminal and discovered that Nascimento had printed lottery tickets for herself without paying for them. She was charged and convicted with not only first-degree theft, but also computer crime on the ground that she accessed the lottery terminal “without authorization.”
Nascimento took her case to the Oregon Supreme Court, where we filed a brief in her support. We did not challenge the theft conviction but explained to the court that the state’s interpretation of Oregon's computer crime statute was unworkable because it turned employees into criminals for reading personal email or checking a baseball game's score while at work, in violation of company policy. And, we explained, because Facebook’s terms of use prohibit users from providing false personal information, a Facebook user could be prosecuted for shaving a few years off her age in her profile.
The Oregon Supreme Court heeded our advice, rejecting the lower court’s expansive interpretation of the statute. The court held that violating an employer’s personnel or computer use policies could “lead to personnel actions or other private discipline or to possible proceedings under other statutes, but it does not violate” Oregon’s computer crime law. According to the court, the law’s history demonstrated that it was intended to criminalize access or use of a computer by someone who had no authority to do so—“the kind of intrusion or access to a computer by unauthorized third parties commonly referred to as ‘hacking.’” Meanwhile, “Nothing in the legislative history suggests that the statute was intended to reach a person who was trained and authorized to use a particular computer, but did so for an unpermitted purpose.”
As the court recognized, a company can restrict a person’s “authorization” to access or use a computer through setting up a password requirement or other authentication or security procedures. But here, Nascimento’s employer had done nothing to restrict her authorization. Because there was no evidence that she had “circumvented any computer security measures, misused another employee’s password, or accessed any protected data,” she was not guilty of violating the state’s computer crime statute.
The prosecutor’s interpretation of the statute would have transformed innocent employees and Internet users into criminals on the basis of innocuous, everyday behavior. We’re happy the Oregon Supreme Court took to heart our warnings about the dangers of such an expansive interpretation of the law and adopted a clear rule that limits the discretion of overzealous prosecutors.
We also hope this decision sets an example for other courts—including the Ninth Circuit Court of Appeals, which just issued two decisions (here and here) that have eviscerated the clarity of CFAA law in the nine states its rulings affect. The decisions both involve password sharing, rather than Nascimento’s direct use of her employee credentials, but together they raise all sorts of questions about when an authorized user can give an outside person authorization to use their account and how and when a computer owner can revoke that authorization. We hope the Ninth Circuit rehears both cases and recognizes—just like the Oregon Supreme Court did with its state computer crime statute—that the CFAA should be limited to the purpose intended by Congress: targeting computer break-ins.
Special thanks to our local counsel, J. Ashlee Albies of Creighton & Rose, PC in Portland, Oregon.