Search This Blog

Friday, July 6, 2012

"Exceeding Authorization" - are You a Criminal?

In New Jersey you are guilty of a cyber crime if you "knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility."

This to me is troubling at several levels. 

First off, if you find a lost cell phone ringing somewhere - a restaurant or bar for example - and you answer it in an attempt to help someone locate their phone you could be a criminal in New Jersey (did you know it was not your phone if so then you may have exceeded your "authorization").

More interesting is the case of Wayne Rodgers, a New Jersey teacher.  Wayne sat down near a couple of computers during the school day and bumped a near-by mouse.  The screen lit up showing emails in a co-worker's account with the subject: "Wayne Update."

The account was already logged in and Wayne took a look.

Eventually lawsuits were filed and the case went to court with the question being did Wayne "... knowingly access without authorization ..." his co-worker's email account.

Ultimately the jury answered that Wayne did not "exceed" his authorization (Wayne had "access" because the co-worker left the account logged in).  Since the jury offered no written opinion we can only speculate why.

Laws like the New Jersey law are made to prevent what legislatures see as growing problems - in this case people making unauthorized access to the on-line email, banking, etc. accounts of others.

The first problem is that the law applies to lawful and helpful behavior as well as to "bad" or "evil" behavior, i.e., answering a phone you find ringing in public.  Sure I could just leave it there but then someone else might simply walk off with it.

Secondly there is the obvious concept of "authorization."

If I forget and don't log off the court says I have provided access.  So if I leave my phone around and "logged in" to something then clearly this law says its no problem for someone else to, say, look at it.

This might mean copying bank or other private information.\

Of course, if I left my bank statement lying around in public I would have the same problem - except I can't access Facebook on my bank statement.

Then there is actually doing something with a phone I might find lying around that's already logged in - as in the case of Wayne.

The jury found that Wayne did not "exceed" this authorization.

Unless the school provided explicit instruction in the details of "authorization" and how to exceed it it would really be a crap shoot.

From the geezer perspective we were taught not to touch what was not ours because it, well, wasn't ours.  Violating this and having mom or dad catch you would likely result in some sort of physical harm.  You didn't cross the property of others without permission, didn't go into their yard, and so on and so forth.

But now we need laws expressly forbidding each specific thing.

No comments:

Post a Comment