Short version. In a sting operation, a police officer took money to look up the DMV records of someone for unofficial use. He was convicted under a federal computer hacking law which makes it illegal for someone who uses a computer system “without authorization or exceeds authorized access.”
The defendant argues that he had the computer authorization to look up DMV records. The government argues, yes, but he was not authorized to access it for that purpose.
On one hand, I think the guy should be punished. It is pretty abusive for a police officer to abuse the trust of the public like that. However, a broader ruling could make a lot of people federal criminals.
Take the SDMB. I am authorized to post here. However, I am not authorized to post personal insults in MPSIMS. If I insult another poster here, have I committed a federal crime because I exceeded my authorization given by the SDMB?
I would have to conclude that it is just a horribly drafted statute and needs corrected.
I believe the difference is that we part of a private sector group and are bound by forum rules and specific penalties are outlined in our use of service agreement (forum rules). This officer was part of government entity and is bound by laws about use of the system.
I don’t see in the statute where that makes a difference at all. The SDMB is a computer system. I think it would be clear that I would violate this statute if I hacked into it.
Regarding what Van Buren himself did, I believe that should be illegal. The debate is, seemingly, how broadly or narrowly the statute in question should be interpreted. That’s a tougher question to answer. Does it apply only to government systems like the Georgia Crime Information Center which Van Buren accessed? What if this had instead been a bank employee looking at someones banking information, or a medical worker looking up someones health records (which is already covered by HIPAA)? I don’t know the answer to those questions, but it definitely seems like something that needs to be clearly spelled out in the law rather than being left to interpretation by judges and juries across the country.
Again, nothing in the law makes the government v. private distinction. It is any computer system, whether that be the IRS or Facebook or the SDMB. Sure, other laws might come into play for government systems (or any system) but the question is whether this law applies and what constitutes “exceeds authorized access.” That could be a lot of things if you think about it. If you tell your kid that he can use your phone to check his email but he also checks the weather, then it seems that according to a Neil Gorsuch-literalist interpretation that he exceeded the access you authorized, even if you subsequently said it was okay.
I see I didn’t read this carefully and I think it goes to the heart of the case. Which of the following statements are correct:
The SDMB authorizes me to use its computer system to post about anything at all. However, if I create a post which violates rules which it has outlined, it may then subsequently revoke that authorization.
The SDMB does not authorize me to create a post which violates board rules.
I believe that in the case of this specific board the first statement is correct since we are a board with moderators that rule on postings content and their adherence to the boards rules. You can post anything you like but if it is found to be against board policy a post can be banished to the cornfield and the user banned.
Many other boards and groups are only moderated in name only or are not moderated at all.
Your authorized access is to post on the SDMB. If you break those rules, you can be banned, but you’re definitely allowed to post without falling foul of the law.
If you somehow got access to administrative functions and used those to ban people, that might fall afoul of this law, since you’re not authorized to perform administrative functions.
Similarly, if you are an admin and you took money to send hidden details or credit card information of posters here to someone, I think that would fall afoul of the law.
I agree with the prior two examples (although I can see how others might think differently) but this example I’m not sure. Absolutely I commit a crime if I sell credit card information to others, but we are talking about this specific law, and as this case illustrates, in your example, I am an admin who has permission to access that information. How did I exceed my authorized access by accessing what I am authorized to access?
I agree, but I don’t think any English speaker would say that the SDMB has authorized me to post things that violate board rules. It doesn’t sound right to the ear.
The details of the authorization are important. I have a feeling in this case the authorization was minimally defined, not uncommon in law enforcement that avoids hard and fast internal regulation and using existing law as the fallback. I don’t think the court would be sympathetic if there was a document clearly stating permitted use of the computer system and specifically ruling out all other uses.
I don’t know what the legalities are, but this is a case where the defendant accepted money for accessing information, quite a big different from very common unauthorized access to DMV records.
Someone accessed DMV records for me one time, I was trying to track down whoever hit my car in a parking lot based on a questionable license plate number. I didn’t have to go to the police to get started, I knew the owner of the company that produced the software and maintained that system. I don’t know if he was violating any law, but he wasn’t accessing the system for legitimate maintenance that he was permitted to do. The license plate number was invalid, I suspect the note left on my car was written by the guy who hit it and he put a fake number on it.
So the details of the user agreement might be important? Say you work for the state or feds, or even a private company. When you login to your workstation each day it says, “THIS COMPUTER SYSTEM IS AUTHORIZED FOR OFFICIAL BUSINESS ONLY.”
If you goof off on the SDMB or even send a quick email to your wife before you leave for home, is that a federal felony under this law?
What if they didn’t use the right magic word “authorize”? If they merely suggested, requested, or demanded would those fail the law?
That’s really the issue with how I see this proceeding. The shitty thing that Van Buren did might lead some Justices to come to a result that would have overwhelmingly complex implications.
I think so. I’m not saying it’s a good law, or that is a good authorization, but assuming OFFICIAL BUSINESS is something that can be established, and it doesn’t included goofing off on the Dope or sending emails to my wife, then yes, it is a violation of the law.
Now what do you think about your hypothetical if it includes me paying you to goof off on the Dope?
Hacking usually involves accessing data you are not authorized to access. So if the SDMB admins somehow managed to capture everyone’s password, that would be hacking. Violating terms of agreement is not hacking. When I was a network engineer in the 1980s and 1990s, I had access to everyone’s data. However, I’d be in legal trouble if I accessed payroll data or used my time to browse for PIPs, even though I had the ability to look.
If you exceed what you are authorized to post here you will be warned, then suspended, then banned. However, no criminal charges will be filed.
And to answer another poster, the mods have no access to personal information such as credit card numbers nor even real name unless a poster chooses to include it. But if we did and gave it away to anyone, I am sure the banning would be immediate.
That’s not the question. It is not what the SDMB would do. It is what federal prosecutors, presented with complete information COULD do. And if your characterization is correct (“exceed what your are authorized to post here”) then the person is guilty of a federal crime by the plain, literal text of the statute.
It looks to me like tge stipulations in that law all involve unauthorized access with intent to do something like access protected information, commit fraud or do something against US national security interests.
Maybe there are scenarios where the law could overreach but it seems like it can’t just be breaking TOS.
If the law really was so broad that it made it illegal to post against forum rules that would seem like a pretty obvious first amendment violation.
I agree. My plain reading of the statute suggests that the violation described in (1) involves protected government data and foreign governments. (2) involves financial information, information from Gov’t departments or agencies, and information from a protected computer which is used for Financial Inst. or the Gov’t. And the rest are largely similar.
To me, it does not indicate that unauthorized use of a computer for other reasons is a violation of this statute.
which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States …"