SecurityFocus contributor Mark Rasch."> Lazy Workers May Be Deemed Hackers
      Digg this story   Add to   (page 2 of 2 ) previous 
Lazy Workers May Be Deemed Hackers
Mark Rasch, 2009-08-25

Story continued from Page 1

The Boston federal court drew a distinction between a computer break in — unauthorized access — and someone who, having been granted lawful access, abuses it. Even if one is granted lawful access to a part of a computer network, access to other parts of the network can be unauthorized. But if you are granted access to people’s information for one purpose and access it for another purpose, you are not guilty of computer hacking, although you may be guilty of other offenses.

In light of the Boston case, both Congress and state legislatures amended or drafted computer crime legislation that punished not only access that is wholly unauthorized, but also that which merely is beyond the scope of either actual authorization or implied authorization. While such a change may seem reasonable, that minor addendum has significant consequences.

Computer Use Policies

Many companies and government agencies have policies on computer use, Internet use, or e-mail use.

Some extend these policies to things like social networking sites, Twitter, texting, instant messaging or other services. Some policies are extremely restrictive, such as no personal use of these services on office equipment. Some may be even more restrictive than that, such as prohibiting the use of these services on office time, even if you use your own smart phone or internet connection.

Other policies are less restrictive, permitting "occasional" personal use of some of these services, providing that they are not used too frequently, don’t interfere with business, and aren’t "inappropriate." This prohibition can run the gamut from the obvious — banning the distribution of child or other pornography — to more subtle restrictions, such as forwarding off-color jokes or chain e-mails. Typically, these policies also prohibit the use of corporate or government computers for illegal activities, and note that violation of the policy can lead to sanctions including termination or even criminal prosecution.

What the Ohio Court of Appeals for Richland County, Ohio did on April 27, 2009, was to establish the precedent that, by using a corporate computer in furtherance of a violation of an unwritten policy constituted a computer crime. The Court noted that Wolf used his computer in a way that was "beyond the scope of the excess or implied consent" of the owner of the computer, and therefore a crime.

It is worth noting that the wastewater treatment plant had no computer use policy. The court simply found that it was apparently obvious that accessing pornographic Web sites, soliciting sex, or uploading nude pictures was not "authorized" and therefore was a computer crime.

The Court has thereby expanded the scope of the computer-crime statute. If anybody does anything on a computer that a court later concludes would not have been authorized by the owner of the computer, or violates the terms of any policy, then they run the risk of going to jail. Visit a porn site at work — something that is perfectly legal, but can get you fired or sued for harassment — and it becomes a criminal offense. Forward that unseemly joke or chain letter in violation of policy, and you become a criminal.

The test is no longer whether you "broke into" a computer, or "stole" information. Any use of a computer in excess of what you have been told you are allowed to do becomes a crime.

Companies need to consider this fact when they establish and disseminate computer use policies. Overly restrictive policies run the genuine risk of subjecting employees to criminal prosecution for activities which we know they engage in every day — like checking sports scores, emailing family members, or other similar "unauthorized" activities.

Of course, nobody would ever be prosecuted for such actions, right?

But if any use of a computer — or telephone, for that matter — is beyond the scope of express or implied authorization, the Wolf precedent makes it punishable.

Therefore, it is important for companies to review their computer and Internet use policies. Make sure that they reflect the genuine risks of improper or inappropriate behavior without creating so restrictive a policy as to subject the CEO to incarceration. That would be a bad thing.

Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to   (page 2 of 2 ) previous 
Comments Mode:
Lazy Workers May Be Deemed Hackers 2009-08-26
Anonymous (1 replies)
Lazy Workers May Be Deemed Hackers 2009-08-27
batz (1 replies)
Re: Lazy Workers May Be Deemed Hackers 2009-10-09
Alan W. Rateliff, II


Privacy Statement
Copyright 2010, SecurityFocus