Court Uses Computer Privacy Law to Crack the Whip on Use of Work Computer to Solicit Dominatrix-Prostitute

Posted on June 30, 2009 by

The Ohio Court of Appeals, in State v. Wolf, No. 08-16, slip op. (Ohio Ct. App. 5d April 28, 2009), recently upheld application of Ohio’s computer crime law to an employee who used his work computer to engage in criminal conduct (solicitation of a dominatrix-prostitute). While this holding may seem uncontroversial, another aspect of the decision might open the door to imposing criminal liability on employees for violating employer computer use policies.

Wolf was a Shelby City Wastewater Treatment Plant employee. The plant superintendent discovered nude photographs on Wolf’s work computer while performing routine maintenance. The superintendent notified police, who discovered that Wolf used the city-owned computer to solicit a prostitute, visit pornographic websites and upload nude photographs of himself during work hours.  At trial, the jury found him guilty of soliciting prostitution, theft in office and unauthorized use of a On appeal, Wolf challenged the trial court decisions overruling his motion for acquittal on both the charge of theft in office and the charge of unauthorized access to a computer. The Court of Appeals agreed that the trial court should have acquitted on the theft in office charge, but ruled that Wolf’s use of the office computer was unauthorized under Ohio law.

Theft In Office

Ohio Rev. Code § 2913.02 (A) (2009), reads, in part, “no person, with the purpose of depriving the owner of property or services, shall knowingly obtain or exert control over either the property or services.” Upon review, the Court of Appeals found that Wolf’s actions did not constitute the crime of theft in office. Specifically, the court found that while there was evidence Wolf spent nearly 100 hours viewing websites unrelated to his job, nothing suggested that his job performance suffered or that he failed to perform his job duties. Furthermore, the court noted that even if evidence showed Wolf had failed to perform his job duties, such evidence could only serve as a basis for his termination and not as the basis for a criminal theft in office charge. In this instance, surfing websites at work was not a theft of services under § 2913.02(A).

Unauthorized Use

Wolf did not fare as well in his appeal regarding conviction under the unauthorized use law. The statute, Ohio Rev. Code § 2913.04(B) (2009), reads in relevant part:

(B) No person… shall knowingly gain access to, attempt to gain access to, or cause access to be gained to any computer… without the consent of, or beyond the scope of the express or implied consent of, the owner of the computer… or other person authorized to give consent.

At trial, the State argued that Wolf acted outside the scope of authorization by engaging in criminal conduct. The Court agreed that the State’s unauthorized use charge was “based upon sufficient evidence,” i.e., Wolf’s use of the city computer to solicit prostitution, and that such use was “beyond the scope of the express or implied consent.” State v. Wolf, slip op. at 12. 

Notably, the Ohio statute applies not only to outsiders who infiltrate computer systems, but also to insiders such as Wolf, i.e., those who would otherwise have legal access but whose on-the-job activities go “beyond the scope of the express or implied consent” of their employers. Neither the statute nor the Wolf holding expressly limits the coverage of § 2913.04(B) to criminal activity. 

This uncertainty parallels that surrounding the Computer Fraud and Abuse Act (CFAA), a criminal statute designed to prevent unauthorized access to, and use of, computers. There is a split in authority regarding whether the CFAA can be applied to insiders authorized to use a computer or computing service in addition to outsiders. See, e.g., Condux Int’l Inc. v. Haugum, No. 08-4824, 2008 WL 5244818, at *4 & n.3 (D. Minn. Dec. 15, 2008) (collecting cases); US Bioservices Corp. v. Lugo, No. 08-2342, 2009 WL 151577, at *4 (D. Kan. Jan. 21, 2009) (narrowly construing CFAA and holding it applies only to outsiders).

It remains to be seen how the Ohio statute, and others like it, will be applied in this developing area of law.

Proskauer summer associate Kyler Scheid contributed to this post.
Tags: , , , ,

"Cyber-Bullies" Potentially Face Hard Time

Posted on July 18, 2008 by

State governments and federal prosecutors are cracking down on individuals who use the internet to harass or threaten others.  On June 30, Missouri Governor Matt Blount signed into law a measure that criminalizes online harassment.  This new law represents a marked change in the legal treatment of this form of harassment, also known as “cyber-bullying.”  Other states have enacted legislation to help stop cyber-bullies, but none has gone so far as to impose jail sentences on violators.  The Missouri law, however, criminalizes the transmission of an electronic communication for the purpose of frightening or disturbing another.  V.A.M.S. 565.091 (not yet chaptered).  Adult violators of this new law face up to 4 years in prison if they perpetrate the offense against a child.

The legislation responds to the 2006 death of 13-year old Megan Meier, who committed suicide after being harassed repeatedly on MySpace.  The harassment was allegedly perpetrated by Lori Drew, a 47-year old woman who falsely assumed the identity of a fictitious teenage boy on MySpace and posed as this character to develop an online relationship with Meier.  The girl’s suicide was allegedly prompted by disparaging comments made by Ms. Drew disguised as the teenage boy.  The tragedy outraged the Missouri community in which it occurred, but local authorities were unable to prosecute Ms. Drew because cyber-bullying was not illegal.

Federal prosecutors, however, have been more inventive, using unconventional means to go after Ms. Drew.  On May 15, the U.S. Attorney in Los Angeles obtained an indictment against Drew under the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, a law most commonly used to prosecute computer hackers who steal sensitive information stored on databases or corrupt computer systems.  Ms. Drew’s indictment alleges that she provided false information in order to register her MySpace account and violated various aspects of the company’s terms of service, including prohibitions on soliciting information from minors and using information gathered from the website to harass, abuse or harm other people.

The indictment essentially asserts that by providing false information to access MySpace and violating the terms of service, Ms. Drew hacked into the MySpace network, causing damage to the network and physical injury to Meier.  This novel use of the CFAA demonstrates the challenge of prosecuting serious online harassment in the absence of laws such as Missouri’s.  Successful prosecution of Ms. Drew under the CFAA could have far wider implications for users of online networking sites, suggesting that violation of a website’s terms of service could give rise to criminal liability.

For a discussion of cyber-bullying and the use of the CFAA in prosecuting Ms. Drew, please view this clip of the Jim Lehrer News Hour, featuring Proskauer Partner Christopher Wolf.

Proskauer summer associate Matt Jackson contributed to this report.
Tags: , ,

Expectation of Privacy in Student Computer Persists in the Absence of Announced Monitoring Policy

Posted on April 11, 2007 by
Last week, a panel of the Ninth Circuit Court of Appeals held that in the absence of an announced monitoring policy, the mere act of connecting a computer to a network does not extinguish a user’s reasonable expectation of privacy, under the Fourth Amendment, in the contents of his or her computer. The panel announced its holding in United States v. Jerome T. Heckenkamp, Nos. 05-10322 and 05-10323 (9th Cir. April 5, 2007), wherein it upheld the introduction of evidence obtained by University of Wisconsin employees through remote and direct access of a student computer attached to a university network. Although it recognized the defendant’s reasonable expectation of privacy, the panel upheld the lower court’s admission of evidence under the judicially-created “special needs” exception to the Fourth Amendment because the alleged hacking posed an immediate threat to the university network and the searches were not conducted for a law enforcement purpose.   

 Jerome Heckenkamp, a student at University of Wisconsin at Madison, was charged under 18 U.S.C. § 1030(b)(5), the Computer Fraud and Abuse Act, in connection with an alleged attempt to hack into protected systems at University of Wisconsin and Broadcom. At trial, Heckenkamp moved to suppress evidence obtained from two searches of his computer. The first search occurred after Broadcom security alerted the University that a University computer was being used in an attack on Broadcom. A University computer investigator, Jeffrey Savoy, identified the IP address of the offending computer, determined that it also posed an immediate threat to the University’s sensitive systems, and performed a remote search of Heckenkamp’s computer to confirm that it was the computer responsible. Later that day, Savoy suspected that Heckenkamp changed his computer’s IP address in an attempt to mask his activities. Notwithstanding the FBI’s recommendation that Savoy wait for a warrant before proceeding, Savoy, with the help of campus police, entered Heckenkamp’s room when the door was ajar and ran a series of commands that confirmed Heckenkamp was responsible for the attacks. Savoy justified the warrantless search on the grounds that the University’s systems could have been critically damaged and that Heckenkamp could gain access to confidential student files. Heckenkamp was a skilled computer programmer and was familiar with University systems; he had been fired from his position at the University computer help desk for attempting to access University systems without authorization.

Heckenkamp reaffirms the importance of establishing and distributing policies regarding the monitoring of computer use. The panel relied heavily on the fact that the University had no such announced policy, and in fact had assured students of data confidentiality:

A person’s reasonable expectation of privacy may be diminished in transmissions over the Internet or e-mail that have already arrived at the recipient. However, the mere act of accessing a network does not in itself extinguish privacy expectations, nor does the fact that others may have occasional access to the computer. However, privacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by the user. United States v. Angevine, 281 F.3d 1130, 1134 (10th Cir. 2002) [professor using university computer]; United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) [federal employee using federal computer system].

In the instant case, there was no announced monitoring policy on the network. To the contrary, the university’s computer policy itself provides that ‘[i]n general, all computer and electronic files should be free from access by any but the authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to . . . protect the integrity of the University and the rights and property of the State.’

 Heckenkamp at 3888 (citations and quotations omitted).       

The Ninth Circuit likely will have to clarify in future litigation the scope of reduced privacy expectations where users are advised of monitoring.

A copy of the Heckenkamp opinion is available here.   

Tags: , , , , , ,