Laws Prohibiting Unauthorized Access or Use

One behavior not covered by traditional legislation, even when criminal laws were extended to reach offenses against intangible property, is the electronic trespass. New state laws aimed at preventing unauthorized access to, or unauthorized use of, computers, computer facilities, or computer communications systems were therefore passed. These statutory approaches treat a computer system as a protected environment. Thus, access to the computer environment becomes a protected right.

Although a majority of states have enacted legislation criminalizing either unauthorized computer access or unauthorized computer use, there are crucial differences between these two crimes. State legislative schemes often reflect the choice of one or the other, but it is hoped not without sufficient appreciation for the fact that different individuals are covered by each, and, accordingly, differing penalties might more appropriately attach to each proscribed behavior. (Michael P. Dierks, in “Computer Network Abuse” from the spring 1993 issue of the Harvard Journal of Law and Technology observes that in the 1980s state courts, addressing the use of whether computer time was property, treated those who obtained unauthorized access and then used computer time in the same way as those who had authorized access as having committed an unauthorized use. “Although separation of these two models is possible, courts did not make such a distinction.”)

Kansas, in defining computer crime, maintains separate definitions for those who willfully and without authorization gain access to a computer or computer system, those who use a computer system in unauthorized ways, and those who exceed the limits of their authorization to do damage or to take possession of a computer or system. (Kansas penalizes all three forms of behavior identically; however, a loss of less than $150 is a misdemeanor, and the loss of $150 or more is a class E felony.) South Dakota, by contrast, proscribes as “unlawful uses of a computer” when one “[k]nowingly obtains the use of, or accesses, a computer system, or any part thereof, without the consent of the owner” (S.D. Codified Laws Ann. § 43-43B-1).

Unauthorized access provisions begin with an act of trespass and become more serious, depending on the results of the intrusion. Unauthorized use, however, though it applies to all outside intruders, also covers the actions of insiders, authorized personnel who use access privileges in unauthorized ways.

Whether a legislative body chooses to attach identical penalties to the functional equivalent of a burglar and an embezzler is, of course, a decision well within its province, and different legislative bodies have addressed this issue differently. Congress, for example, decided that policy differences do support differentiating between these two classes of individuals, at least for certain types of prohibited acts. Under § 1030(a)(3) of Title 18, it is a misdemeanor for a government employee working in one government agency to trespass in a computer belonging to another government agency, but exceeding authorized access with regard to a computer in an employee’s own agency is not criminal. Congress took the view that administrative sanctions are more appropriate than criminal punishment in such cases.

Some states might make very different policy choices over how those with access privileges should be treated under criminal law, and thus it would appear quite natural for states to devise two separate but related tracks of computer-related legislation. One track might be aimed solely at outsiders (it would rely on the unauthorized access predicate), and another might aim at insiders (it would rely on the unauthorized use predicate). That outsiders can properly be charged under both branches simultaneously should not raise concern because this fact merely reflects the belief that an uninvited person who trespasses to do harm is more contemptible than an invited person who abuses his or her access privileges to commit a similar harm.

Today, approximately 40 states have laws that make the unauthorized access to or use of a computer a criminal offense. Many of these schemes maintain as a threshold that an unauthorized access or an unauthorized use of a specifically defined environment occurs, and then varying levels of accountability are attached to the resulting harm. The mere act of trespass often remains a misdemeanor offense, but the crime reaches felony level if theft or damage results, thus incorporating concerns regarding the integrity of information.

The Arkansas Code Ann. § 5-41-104(a), for example, prohibits computer trespass and applies to anyone who “intentionally and without authorization, accesses, alters, deletes, damages, destroys, or disrupts any computer, computer system, computer network, computer program, or data.” The Arkansas code rates three classes of misdemeanors: (1) first offenders who do no damage, (2) first offenders whose damage is less than $500 or a subsequent offender whose actions result in no damage, or (3) cases in which the damage is at least $500 but less than $2,500. A trespass causing loss or damage equal to or in excess of $2,500 is a class D felony.