This is not a political rant. I promise. Tulsa teacher Shelia Buck was arrested outside the President’s rally after campaign officials saw that she was wearing a t-shirt that said “I Can’t Breathe” and had her kicked out of a secure zone outside the rally and arrested for “trespassing” and charged with “obstruction,” despite having a ticket for the event.
So what does that have to do with hacking?
The federal and most state computer crime statutes were intended, at least in part, to deal with a gap in the then-existing criminal law, whereby if you “broke in” to a house or office, you were guilty of, at a minimum, criminal trespass, and if you stole documents or records, you were additionally guilty of theft and/or burglary. The same activities in the virtual world – electronic trespass and electronic theft (where the thing “stolen” was still there) had no legal parallel. Hence, computer crime laws.
One of the basic elements of the computer crime statute then is the idea of “trespass” or “accessing” a computer or network “without authorization” or “exceeding authorized access.” And that’s the problem.
Just as in the case of Ms. Buck, the concept of “authorization” or exceeding authorization, or withdrawn authorization is a squishy on the information superhighway as it is on the roads outside the BOK Center in Tulsa. The Tulsa Municipal Code Section 2106 makes it a criminal trespass in a public or private place to, for example, remain in a the place and refuse to leave after a demand by the owner or occupant. It’s also a trespass to use “any public building, except for the purpose of transacting business with a public corporation….”
Imagine going to a Red Sox game wearing an Aaron Judge jersey, and despite having a ticket to Fenway, a security guard tells you to leave. You object. “I have a ticket!” Well, the ticket is just a revocable license to attend the event. Your license to attend has been revoked — presumably by an authorized representative of Fenway Sports Group, the owner of the park. Your continued presence — even if to object to the ejection — is now a crime. Now for public property, discrimination based on content of speech, or for that matter the exercise of the right to peaceably assemble would present Constitutional issues. But for private property, like the BOK center or Fenway (but not so clear about the area around BOK center) you can be thrown out for looking the wrong way, although as a public accommodation, certain forms of discrimination may be unlawful. The Tulsa police said of Ms. Buck that she was “in an area that is considered a private event area and the event organizer … can have people removed at their discretion.” Which brings us back to the hacker statutes.
Websites, typically through their Terms of Use or Terms of Service, or employers through employment policies, will typically describe “permissible” and “impermissible” behavior. You typically are not authorized to use the website, the social media site, the computer, email, etc., for such “impermissible” behavior.
So there are three ways to “access” a computer or network without or in excess of your authorization. One is to “break in” – to go somewhere you are not allowed to go, by breaking a lock, or even tricking your way in. Cracking a password, duping someone into giving credentials, etc. The second is to go somewhere you ARE allowed to go, but doing something you aren’t allowed to do. Sleeping in a public park. Going to a government office for a purpose other than transacting business. Posting offensive materials on Facebook. The third is to go somewhere you are allowed to go, doing something that the “owner” doesn’t want you to do, and then ignoring a demand to leave. So when LinkedIn told data analytics company HiQ that they should “cease and desist” from scraping their website, and that their continued access to the LinkedIn data was a violation of federal and state trespass laws, and where they created a technological measure to prevent HiQ from scraping data from the site, did this constitute “trespass?”
Magic 8 ball says, “Situation Unclear. Ask Again Later.”
The law on computer “trespass” is vague and ambiguous precisely because the law on trespass is vague and ambiguous. The majority of courts have concluded that merely violating terms of service, or doing something that the owner of the computer or network does not want you to do (and even tells to you to stop doing) is not a crime, although many other courts have come to the opposite conclusion. The HiQ court in California ruled that it was not a crime, although that case is currently on appeal before the U.S. Supreme Court.
For businesses wanting to use the law to enforce things like employee computer use agreements, terms of service, software license agreements and the like under a “trespass theory” of liability (your permission to be here is revoked, you are now trespassing), it helps to have specific revocation of authority coupled with the implementation of strong technological measures to prevent access. Cancel the account. Delete the passwords. At the end of the day, the trespass law (at least electronically) will depend not on someone doing something you don’t like on your site, but on them not having authorization to go to your site at all. Probably.
And one final bit of advice. While you can wear a Yankees jersey at Fenway, as a former paramedic at Yankee stadium, I would heartily recommend that you NOT wear a Sox jersey at the House That Ruth Built (well, rebuilt?) That’s how people get hurt, if you know what I mean. Fuggetaboutit.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.