Employee beats computer crime rap
Who would ever dream that the back story for a cutting-edge case on computer crime would begin with a drunk driver answering the call of nature on the side of a road?
Somehow, we get from that dreary image to answering an important legal question: Does an employee commit a crime when he uses his password-protected access to his employer’s computer system for a purpose that violates workplace policies?
The saga begins with a traffic stop in Mercer County, New Jersey.
In the early morning hours of Jan. 6, 2008, Princeton Borough police stopped a suspected drunk driver. Police Sergeant Robert Currier participated in the stop.
At some point, the driver apparently indicated that he desperately needed to answer the call of nature.
Currier, demonstrating the humanity and common sense that most of us would appreciate in a good police officer, allowed the driver to step into some nearby bushes and relieve himself.
All well and good except that Currier has an enemy in the Princeton Borough Police Department.
For reasons unknown, Sergeant Kenneth Riley allegedly has it out for Currier.
Riley got wind of Currier’s encounter with the drunk driver. Because allowing public urination isn’t exactly in accordance with the letter of the law and department policy, Riley saw an opportunity to cause Currier some grief.
That’s when Riley allegedly took two steps that resulted in criminal charges against him.
Traffic stops by the Borough’s police officers are digitally recorded and automatically downloaded to the Mobile Vision Recorder (MVR) database on the department’s computer system.
Knowing this, Riley allegedly used his computer password to access the MVR database and view the video of Currier allowing the drunk driver to relieve himself in the bushes.
Riley allegedly then showed the video to others in the department with an eye towards embarrassing Curry and perhaps getting him disciplined.
Now, police department policy allows supervisors such as Riley to view and disseminate MVR videos for training and job evaluation purposes.
But because Riley accessed the video of Currier’s traffic stop for an allegedly improper purpose, the state of New Jersey indicted Riley for violating provisions of the state’s computer crime law.
Under New Jersey law, a person commits a third degree offense if he knowingly or purposely “accesses” computerized data “without authorization” or “in excess of authorization.” A person also commits a third degree crime if he knowingly or recklessly discloses the data that was wrongfully accessed.
So Riley was charged with both criminally accessing and disclosing the recording of Currier’s traffic stop that was stored on the department’s computer system.
This raised a question of first impression for Judge Mitchel Ostrer of the New Jersey Superior Court.
In seeking to dismiss the indictment, Riley argued that the computer crime laws at issue did not apply to him because he had password-protected access to the department’s computer system.
Last week, Ostrer found the statutes ambiguous.
“It is uncertain what it means, first, to access computerized data, and second, what it means to do so ‘without authorization’ or ‘in excess of authorization,’” Ostrer wrote. “It is also unclear whether unauthorized access may be proved solely with evidence that a defendant, who is an employee or other ‘insider’ with current password-access, knowingly violated internal guidelines regarding use of computer-based information.”
Faced with a perceived ambiguity in the criminal code, Ostrer adopted a narrow reading of the term “authorization” that precludes the conviction of employees with password-protected access to the computer database at issue.
“Neither the statute’s plain language, nor its legislative history, clearly compels a broad reading of the statute that supports the State’s indictment,” Ostrer concluded. “Under such circumstances, this court must construe the statute strictly, against the State and in favor of defendant. A strict construction, favoring defendant, would limit the concepts of ‘without authorization,’ and ‘in excess of authorization,’ by construing ‘authorization’ to refer to password or code-based rights.”
In dismissing the computer-crime indictments against Riley (leaving intact charges of official misconduct), Ostrer submitted the proposition that employees regularly violate workplace guidelines concerning computer use.
The judge said that to criminalize such commonplace misconduct would open a Pandora’s box of criminal prosecutions.
“[A]ssuming that a broad range of the population violates internal workplace computer use policies at one point or another, then deeming such violations a crime would empower the State, unguided by firm definitional standards, to choose to prosecute whomever it wishes from that broad cross-section of the population. The vagueness doctrine is designed to prevent that. In short, the criminal law should not be some pliable material that the State may bend and mold at will to fit an unwarned defendant,” the judge wrote. (New Jersey v. Riley)
— Pat Murphy
