Richard Wolf, a government employee in Ohio, surfs the web at work. He gets busted by his boss for having a nude picture of himself on the computer. Boss calls cops. Guy gets convicted of a number of charges including one of ‘hacking’ a computer.
From the first link: ‘The appellate court wrote that Wolf’s conduct was “beyond the scope of the express or implied consent” and the charge of unauthorized use of a computer was based upon sufficient evidence.’
‘Hacking’ in this instance refers to surfing the website AdultFriendFinder for hookups.
A computer expert found ~700 images on the computer. I’m inclined to think as the boss was cleaning up old files on the computer that he didn’t find them (inferred from the articles), then these images were probably in the browser cache and not deliberately stored on the computer by the Wolf, but got stored there as a result of his browsing.
From my days as a network admin, I’d talk to the user if I only found a couple of nude pictures. If I found large amounts of pictures and a consistent pattern of activity, or clearly illegal items, like kiddie porn, I’d talk to his supervisor and get HR informed. A network admin shouldn’t be a cop, nor call the cops on his own volition, he should report to his supervisor and follow company policy. In this instance, there isn’t a clear policy as to what was allowed by the organization and what wasn’t.
Regardless, the charge wasn’t about having porn on his computer. It was using the computer in a way not authorized by those in a position to provide such authorization? So, for those of us who like to peruse the SD from work, should we be fearful of getting thrown in jail for it?
Depends on where you work. I’ve worked at a few places where if I circumvented the system to surf the SD it would have meant my job, certainly. I doubt I’d have been thrown in jail, but I can imagine that if you worked on a highly classified network and you circumvented the system to surf a public network you could be jailed for that, sure.
Based on the story, the law is written poorly. The jury agreed with a construction put on the wording of the law proposed by the prosecutor. The appellate court agreed that the conviction follows the, (poorly worded), law.
I’m not sure at what point the appellate court should throw out the conviction or overturn the law.
I do agree the law is stupid as worded and that the conviction, (heck, the whole trial), was a serious matter of overkill.
(I have also not yet tracked down the law, but wonder if it applies only to state-owned computers. You might not be in jeopardy if you are doing this from your computer at XYZ Corp.)
This is the problem with having well-intentioned, (we hope), ignorant people writing laws for advancing technology.
This reminds me of the Lori Drew trial (more here) where the same Computer Fraud and Abuse Act was misused to make it a felony to violate the TOS of Myspace. In short, she got hit with a felony for using a fictitious name on Myspace. There were additional circumstances to the incident (namely that it involved cyberbullying that led to a suicide), but she wasn’t directly charged for that.
I wonder if it is like the defense attorney stated that it was only because of the porn aspect that this even made it to a court. There was no hacking as any computer professional would determine it. There was no blocking at the firewall. Good internet filters are relatively reasonably priced at under ~$10K. AdultFriendFinder would not be something any filter would miss if setup properly. There wasn’t even a policy in place by the organization that told employees what not to do.
I can only hope that this is a case where some wrong was done for which there was no actual law that would apply (as regards driving someone to suicide) so the state casts about for anything to punish the perpetrator with. Hopefully the state will not be so zealous about sending me to jail for violating SDMB TOS if I get pissed and call someone a troll here or something.
Kind of akin to Al Capone getting busted for tax evasion.
From the facts in the court opinion it looks like the Superintendent found the naked picture and then notified his Director. The Director then called the police who found all the other pictures and evidence.
The exact charge wasn’t for having porn. It was actually for soliciting prostitution. In other words, he was using the computer outside his authorized scope by using it to hire a prostitute.
It looks like the law was badly written like tomndebb mentioned above.
It’s pretty clear the guy did violate the plain language of the law. However, the Appellate Court might have had their hands tied because the defense lawyer did not challenge the meaning of the law. He just challenged the rulings based on sufficiency of evidence grounds. I don’t know why he didn’t at least raise the issue, but it looks like he didn’t. A jury conviction is pretty reasonable if you consider the fact that the jury was read the law as it was quoted it above.
So for those of you in Ohio still using a computer outside its authorized scope, you still have a shot on appeal if you are ever convicted.
The thing is you could still be in violation. For instance, I was the system admin at a hotel and one guy wanted access to something that was clearly against company policy. The GM ordered me to give it to him. I went to H/R and they confirmed that if the GM wanted it I should give it to them. I said “Why are you asking me to do something that clearly states I could be fired for.”
So I made H/R and the GM sign a statement ordering me to do so and stating this was against my advice and clearly against company policy.
Now that covers my butt, but the fact remains, the fact is that user had NO AUTHORIZATION to go into those sites.
Corporate says in written documents they cannot under ANY circumstances access such information.
You see so even if you have rights, the way the Ohio law was written it says: “‘exceeding authorization” that person I allowd in, was exceeding his authorization, even though I allowed him to access it. See there is a difference between allowing authorization and viewing and getting data.
That person could still be liable because my allowing him access doesn’t give him the authorization to view. It just gives him the ability.
You see the GM and H/R had no authorization to give him access to that site. Only corporate could and they refused. The GM ordered me to give him the ability to access the site. See that is the difference.