Unauthorized Access of Computers

In State v. Nascimento, the Court of Appeals affirmed the conviction of the defendant for computer crime, under ORS 164.377(4). Her primary issue on appeal was whether her use of a computer was "unauthorized," as required by statute. The COA summed up the issue and the holding this way:

This case, as argued by defendant, boils down to whether ORS 164.377(4) encompasses conduct that (1) only involves a person accessing a device itself without authorization or (2) also encompasses using a device, which the person otherwise has authorization to physically access, in a manner contrary to company policy or against the employer’s interests. Under the circumstances of this case, however, we need not resolve that issue. There is evidence in the record that defendant’s store manager gave defendant limited authorization to physically access the lottery terminal to only sell tickets to, and validate tickets for, paying customers and only when the counter employee was not available to do so. This is not the case that defendant tries to make it out to be. This is not a case where defendant had general authorization to be on a computer to carry out her duties, but then used that computer in a manner that violated company policy—such as, to use defendant’s example, by playing solitaire during work hours. For defendant’s duties, the lottery terminal had but one function: to sell and validate lottery tickets. There was evidence from which the jury could conclude that she was authorized to access the physical device itself—the lottery terminal—only to serve paying customers. Thus, even taking defendant’s construction of the statute, there was sufficient evidence in the record from which the jury could rationally conclude that defendant accessed the lottery terminal without authorization.

What do other jurisdictions say about what constitutes unauthorized access? The case law appears to be all over the map.

Orin Kerr is publishing a paper on the topic of "unauthorized access" for the Columbia Law Review. The abstract states:

Federal and state laws prohibit computer trespass, codified as a ban on unauthorized access to a computer. In the last decade, however, courts have divided sharply on what makes access unauthorized. Some courts have interpreted computer trespass laws broadly to prohibit trivial wrongs such as violating Terms of Service to a website. Other courts have limited the laws to harmful examples of hacking into a computer. Courts have struggled to interpret authorization because they lack an underlying theory of how to distinguish authorized from unauthorized access.

This Essay offers such a theory. It contends that authorization is inherently contingent on social norms. Starting with trespass in physical space, it shows how concepts of authorization necessarily rest on shared understandings of what technologies and its users are allowed to do. Norms classify the nature of each space, the permitted means of access, and the permitted context of access. This idea, applied to the Internet, readily answers a wide range of difficult questions of authorization under computer trespass laws such as the Computer Fraud and Abuse Act. It shows that the open norms of the web authorize most kinds of web use. On the other hand, the closed norms of authentication limit use of canceled or shared accounts. Properly understood, the norms-based nature of trespass does not render unauthorized access laws uncertain. To the contrary, the lines to be drawn become surprisingly clear once you identify the correct norms of computer usage.

A recent blog post at Volokh Conspiracy, which includes a link to the draft of his article, can be found here.