Snooper cleared after reading colleague's email

Photo: Shutterstock

A New Jersey teacher rifled through a colleague's email after she left her mailbox open on a public computer. She and her correspondents sued him. Jurors cleared him on hacking charges, however, agreeing that her failure to log out amounted to "tacit authorization." Timothy B. Lee at Ars Technica:

According to New Jersey law, a person is guilty if he "knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility." The judge ruled that Marcus, not Rogers, had accessed her e-mail. So Rogers was on safe ground on the "access" question. However, the judge let the jury decide whether Rogers had exceeded the "authorization" Marcus had accidentally granted to him. The jury ruled that he had not.

At Internet Cases, attorney Evan Brown offers an analysis of the case: "The decision is potentially relevant to contexts other than email accounts on desktop computers. Does a person who finds another’s mobile device have the right to rummage through all the accounts (e.g., social media, email, dating sites) that the phone’s owner is logged into? This case underscores that the answer will be, frustratingly, 'it depends.'"

Also, yes, there is a stock photo for everything.

⟿ Follow Rob Beschizza on Twitter.

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

fuzzyfuzzyfungus

This seems like an unbelievably broken decision.

“Authorization” is basically just “consent” with an ID badge, used because it sounds more computer-security-ish. The idea that you could “grant authorization” by accident seems practically contradictory(not quite. If, by some processing error, FooCorp issued Joe The Temp a mailbox that hadn’t been purged, he wouldn’t really be some kind of hacker because he connected to it automatically when he first logged in and opened Outlook…); but if you have to do it covertly, it seems highly unlikely that you even think you are authorized, much less are.

In other news, Sony Inc. issued tacit authorization to Lulzsec by sucking at security a lot…
- http://tryingsense.blogspot.com/ R_Young
  
  That doesn’t follow at all; if you can show any small amount of criminal intent, this automatically wouldn’t apply. Lulsec didn’t just find a way in, crash the servers, and steal tons of cc numbers, they did it and *bragged* about how easy it was.
  - The Rizz
    
    So, the bragging is the part you have a problem with?
    - http://tryingsense.blogspot.com/ R_Young
      
      Frankly my dear, I don’t give a damn.
      
      All I’m sayin’ is the the “setting judicial precedent” argument is bs. If the guy had gone through every email and printed them out, that would be both creepy AND possible show malicious intent.
bzishi

I left my front door unlocked. You now have tacit authorization to enter my house and go through all my records and belongings.
- Antinous / Moderator
  
  I left my front door unlocked.
  
  No, you left your diary open on a public bench. It was a public computer, not her house, not her cell phone, not her laptop.
  - Jake0748
    
    Phooey. More like a letter she was going to send (or a copy of one which she had already sent), fell out of her pocket on a public street. Still not right to read, copy and use it to his advantage.
    - http://tryingsense.blogspot.com/ R_Young
      
      Not right, but should it justify a lawsuit? Read a open letter on the ground, get sued?
  - bzishi
    
    I agree, this is a better analogy.
- http://www.pattayamail.com John Thomas
  
  I’ve tacit authorisation to look through your open door perhaps.
Jake0748

Is it passe to bemoan the absence of common sense in this world today? WTF was wrong with this jury and these courts? The guy snooped on private communications, period. And he doesn’t even get a slap on the wrist.

Meh… once again the world depresses me.
- MythicalMe
  
  In the 18th century and early 19th century, if you mailed a letter through the US Postal service it was likely that your neighbors new the contents within hours of it hitting the post office. It was also not unusual for the postman to open, read and pass on to your neighbors any letters you might be receiving. If you truly wanted to keep something secret you hired a private courier.
  
  As for common sense, there is nothing that I receive or send by e-mail that if it ended up disclosed I would find particularly embarrassing. Anything that goes out on the internet is possible for someone else to see. Only encryption provides some reasonable assurance of privacy, but you have to take steps to ensure that your personal security isn’t compromised.
  
  Bottom line is that if you leave a public computer logged in and then go to the washroom you cannot expect someone to sit down at the computer you were using and not read your e-mail.
  
  I think your definition of common sense is being muddied by your own bias.
  - Jake0748
    
    Well, you’re right. But my own bias is that I think that it is just plain wrong (unethical, immoral, evil?) to pry into other people’s private communications. I don’t EXPECT people to not read my email if I leave it open when I go to the crapper, but at least I can WISH that they wouldn’t.
    - Antinous / Moderator
      
      Of course it’s immoral. But this post is about whether or not it’s illegal.
  - bzishi
    
    I think the legal question must come down to intent. If it was a stalker or a person who was trying to find financial information, then clearly the victim’s rights would have been violated to the extent that some sort of action by the state would be needed. It also depends on whether the individual planned the snooping or did it by accident. If an individual plans to get some sort of advantage through snooping or intends to use information gained to commit a crime, then it should be illegal even if it was done on a public terminal. And if an individual intentionally waits until a person walks away from a public terminal to check if it is unlocked, then that is also an overt act to try to intentionally violate that person’s privacy. It should also be a crime.
    
    Where it becomes fuzzy is if a person accidentally snoops and finds that a coworker has some medical condition, is interviewing for another job, has legal troubles, etc. If the snooper then discloses this information, should that be illegal? What if the snooper knows that this information would get the coworker fired or would cause some sort of discrimination?
MB44

Officer on witness stand: We then found the evidence needed in the defendant’s email and detained the defendant.
Prosecution: And was the defendant logged in already?
Officer: Yes.
Prosecution: You see your honor, we have tacit approval. The search is completely legal.
Defendant: Shit.
10xor01

Wow, there’s a stock photo for anything nowadays.
- http://twitter.com/joegormally Joe Gormally
  
  Even though they credit the source as Shutterstock.. I’m pretty sure it may have come from AwkwardStockPhotos.com
semiotix

Can you also post from an account someone forgot to log out of? Is that allowed too? Because Marvin H. Chucklewit here has some interesting, um, “boudoir” photos on his hard drive I’m kind of dying to put up on his own Facebook page.

Oh, sorry, you people apparently know him as “semiotix.” (WTF?!)
KeithIrwin

The real problem is that the law is so breathtakingly vague. Pretty well all of the hacking statutes just talk about whether or not you’re authorized. Well, authorized by who? The owner of the computer? The owner of the files? Do files actually have owners? If they’re not protected by copyright, there’s no clear law giving computer files owners. Do accounts have owners or just people they’re associated with? If Zoë opens a file which is in Alice’s home folder but is owned (in the computer security sense) by Bob and is located on the virtual hard drive of the VPS that Carol rents and Dave administers and runs on the machine which Elle administers and Frank rents from a co-lo facility owned by Georgianna, who’s permission is sufficient? Some of this might depend on the contracts between them, but assuming that the contracts don’t say, what does the law say? It’s really not vaguely clear.

And this case touches on the even further question: how do you know if you’re authorized? Do you need to be explicitly authorized? If so, I access machines without explicit authorization all the time. No one ever told me that I was allowed to point a web browser at port 80 on boingboing.net. It’s just assumed. If I find a secret URL on the site that unlocks administrative functions and load it, was I authorized to do that? What if the URL has an SQL-injection attack, am I authorized to change their database because they left me the ability to? Where does the line get drawn? I think that it does a disservice to us all to let the courts resolve this sort of case in a piecemeal, higgledy-piggledy fashion. It results in questions which are not just unanswered, but unanswerable. If our legislators would actually pay attention to where we need laws, they might be helpful with these sort of questions.
- http://disqus.com/Kimmoth/ Kimmo
  
  Word.
- Palomino
  
  I agree to a certain point. Whenever I hear of anything “internet/electronically” related I compare it to tangible reality. If this same guy walked by this woman’s house and saw her mailbox open, took and opened and read all of her mail, then put it back, would the charges have been the same?
  
  For me, that’s the confusing part. And I think that’s why this ACTA stuff is so confusing. Say 1 digital edition of a book gets uploaded for free tens of thousands of times. Fine, some people think that’s egregious. I don’t know. Now use my formula. Someone breaks into a warehouse, steals tens of thousands of this same novel in paperback and hands them out for free on the streets. We know the answer to that.
  
  So these bills like ACTA and SOPA are pushes to get solid definitions between tangible intellectual property and intangible intellectual property. And I think that’s O.K. Right now it’s in the Push-Me-Pull-You stage.
  - KeithIrwin
    
    Except that theft isn’t really an analogue for copyright violation since copyright violation doesn’t deprive the original owner of the copies. So the correct analogue in this case is that someone buys one copy of the book and then makes ten thousand photocopies and hands them out on the street. (Or truthfully, because the file sharing network only makes copies in response to requests from users, the even more exact physical analog would be that you have a book copying machine sitting on the street with that book in it and anyone who comes by can push the button to copy the book and 10,000 people do.)
    
    But beyond that, the bigger problem is that physical analogues only go so far. We have well defined laws for physical trespass in my state. You are trespassing if you a) go on someone’s land when they’ve told you you aren’t allowed to or posted signs to that effect b) climb over a fence into a fenced off part of their land or enter a building unless you’ve been specifically told you’re allowed or they’ve posted signs welcoming everyone. So, what’s the computer system analogue to a building or a fence or a no trespassing sign or an “Open for business” sign? Those seem like really tricky questions which depend more on what we want the law to be than on what the logical equivalence is.
    - Palomino
      
      My fault, I usually follow the link and read the story, I’m way off base; I would have read the emails too if I saw my name.
http://disqus.com/Kimmoth/ Kimmo

Also, yes, there is a stock photo for everything.

Heh, snap
Palomino

Bait Mail.

There’s a well defined line between “trespass” and “breaking & entering”. This guy trespassed.
- Antinous / Moderator
  
  Do you want to send him to jail or impoverish him for looking at something left on a public computer?
http://www.facebook.com/csismeiro Carlos Sismeiro

My understanding of this (and how I think they should have ruled):

He did nothing illegal as he did not hack or actively tried to enter the private accounts of the other person.
However he proved himself to be a jackass and everyone that considers him a friend is strongly advised to reconsider.
- Talia
  
  That’s a bit strongly worded wouldn’t you say? Guy gave in to curiosity/temptation. I think that’s only human, even if most people would have walked away. It’s not like he’s some sort of monster. Just curious.
Gilbert Wham

If I inadvertently leave a password-locked account open, and someone accesses it without my say-so (viz. the oh-so-enterdaining ‘Fraping’), I consider tacit authorisation to have been given for me to yell at them/kick them out/sock them in the jaw, dependent upon severity of said shenanigans and how bad-tempered I’m feeling. It’s a dick move, and anyone doing it deserves a bollocking for being a dick.
http://twitter.com/sirkowski Sirkowski

I’m ok with this.