Search This Blog

Tuesday, October 8, 2013

Appellate Division in New York Upholds "Computer Trespass" Conviction

The case is People v. Puesan, and the court's opinion is available here.

The defendant was charged and convicted of "computer trespass" among other crimes, when he entered his place of employment while on disability leave and accessed computers in the office.  The court notes the
disability leave policy and security measures the office took:

Tom Allen, Vice President of Security at Time Warner, testified that an employee who is placed on work leave is not considered an active employee; his or her access card is disabled and thus cannot be used to gain access to the company's offices. This policy is announced in employee handbooks provided to employees, and any employee placed on leave is instructed by human resources department personnel regarding that policy. Since the public is not allowed to enter Time Warner Cable's Northern Manhattan office, security guards are stationed outside to ensure that those entering the building have valid ID cards.

Nevertheless, the defendant entered the office and accessed computers, apparently by using a program that generated password keys.  He resorted to this program after requesting the use of a coworker's login and password -- a request that was denied.

The appellate division of the superior court upheld the conviction and held that defendant had gained access to the computers "without authorization."  The court noted that New York's statute defined "without authorization" as "'access of a computer service by a person without permission . . . or after actual notice to such person, that such access was without permission' (Penal Law § 156.00[8])."  The court further clarifies what it takes for there to be access without authorization:

for access to be without authorization, the defendant must have had knowledge or notice that access was prohibited or "circumvented some security device or measure installed by the user"

The court held that the defendant's knowledge that he was not allowed in the building, and his use of the program to overcome the password security violated the statute.

While this case is clear, I feel like it is worth flagging because the court's definition of "without authorization" is relevant to a current debate over the meaning of a similar provision in the federal Computer Fraud and Abuse Act, and could help inform debate on the subject.  

The definition of "without authorization" continues to be a topic of dispute at the federal level, with the case of United States v. Auernheimer in the Third Circuit being a particularly notable example.  Cases like Puesan that clarify the definition of "without authorization" are particularly important, since the definition of this term in the federal context varies widely, depending on the circuit.

1 comment:

  1. That's a nice place of you; we have been polishing off there.

    dui ny

    ReplyDelete