BreadcrumbsHome / Person Exchanging Nude Pics at Work Deemed Hacker
Person Exchanging Nude Pics at Work Deemed Hacker
Last Updated on Sunday, 29 November 2009 09:57 Written by DarkKnightH20 Tuesday, 6 October 2009 12:00
Some people have to view pornography during all times of the day. This includes while they are at work. For others, this isn’t enough. They must also exchange nude pictures of themselves with others…while at work. Kinky is one word that comes to mind, as well as “self-control”. Unfortunately, if you do such things at work, you may be deemed a hacker. Watch out for legal charges!
“Richard Wolf did more than daydream at work.
“ The test is no longer whether you ‘broke into’ a computer, or ‘stole’ information. Any use of a computer in excess of what you have been told you are allowed to do becomes a crime. ”
From his office job at the Shelby City (Ohio) Wastewater Treatment plant, he was browsing adult Web sites, including one called Adult Friend Finder to meet women. When some of the women asked Wolf for nude pictures, he bought a digital camera, took pictures, and e-mailed them using his work computer.
In a communication with a dominatrix that advertised online, the woman proposed a “no-sex” session for $150, to which Wolf replied that, while he would love to be with her, he could not because he had “a lot of financial issues on my plate,” but that he might contact the woman at some time in the future.
Apparently Wolf spent a lot of time browsing these Web sites – about 100 hours over the course of several years, for which he was paid by the city about 23.92 an hour including his benefits. When caught, Wolf admitted that what he did was in violation of established work practices and “unethical and wrong.” He fully expected to be fired for his activities.
What Wolf did not expect was to be indicted. For the time he was supposed to be working but was surfing the Web, Wolf was charged with theft of his employer’s money for unauthorized use of property, and was charged with soliciting sex for money. The court concluded that he conversations between Wolf and the dominatrix was enough to establish at least a solicitation of sex, if not an agreement to have sex for money.
The recent Ohio State appellate case (pdf) demonstrates that computer, e-mail and Internet use policies that restrict the use of company computer systems can lead not only to termination of employees but to their prosecution and incarceration as well. More troubling for companies drafting computer use and computer security policies is the fact that Wolf was charged with computer hacking – yes, hacking.
The Ohio law on computer crime, Ohio Revised Code 2913.04(b), like similar laws in many jurisdictions, provides that:
(a) person, in any manner and by any means, including, but not limited to, computer hacking, shall knowingly gain access to . . . any computer, computer system, computer network, . . . beyond the scope of the express or implied consent of, the owner…
Many jurisdictions prohibit not only computer hacking — that is, the unauthorized access into a computer — but also “exceeding the scope” of authorization to access or use a computer. This distinction derives from a case in the early 1980s where an Internal Revenue Service (IRS) employee from Boston was unsuccessfully charged with breaking into the agency’s computers when he used his lawful access to the computer to read files of taxpayers he was not authorized to read.
The Boston federal court drew a distinction between a computer break in — unauthorized access — and someone who, having been granted lawful access, abuses it. Even if one is granted lawful access to a part of a computer network, access to other parts of the network can be unauthorized. But if you are granted access to people’s information for one purpose and access it for another purpose, you are not guilty of computer hacking, although you may be guilty of other offenses.
In light of the Boston case, both Congress and state legislatures amended or drafted computer crime legislation that punished not only access that is wholly unauthorized, but also that which merely is beyond the scope of either actual authorization or implied authorization. While such a change may seem reasonable, that minor addendum has significant consequences.
Computer Use Policies
Many companies and government agencies have policies on computer use, Internet use, or e-mail use.
Some extend these policies to things like social networking sites, Twitter, texting, instant messaging or other services. Some policies are extremely restrictive, such as no personal use of these services on office equipment. Some may be even more restrictive than that, such as prohibiting the use of these services on office time, even if you use your own smart phone or internet connection.
Other policies are less restrictive, permitting “occasional” personal use of some of these services, providing that they are not used too frequently, don’t interfere with business, and aren’t “inappropriate.” This prohibition can run the gamut from the obvious — banning the distribution of child or other pornography — to more subtle restrictions, such as forwarding off-color jokes or chain e-mails. Typically, these policies also prohibit the use of corporate or government computers for illegal activities, and note that violation of the policy can lead to sanctions including termination or even criminal prosecution.
What the Ohio Court of Appeals for Richland County, Ohio did on April 27, 2009, was to establish the precedent that, by using a corporate computer in furtherance of a violation of an unwritten policy constituted a computer crime. The Court noted that Wolf used his computer in a way that was “beyond the scope of the excess or implied consent” of the owner of the computer, and therefore a crime.
It is worth noting that the wastewater treatment plant had no computer use policy. The court simply found that it was apparently obvious that accessing pornographic Web sites, soliciting sex, or uploading nude pictures was not “authorized” and therefore was a computer crime.
The Court has thereby expanded the scope of the computer-crime statute. If anybody does anything on a computer that a court later concludes would not have been authorized by the owner of the computer, or violates the terms of any policy, then they run the risk of going to jail. Visit a porn site at work — something that is perfectly legal, but can get you fired or sued for harassment — and it becomes a criminal offense. Forward that unseemly joke or chain letter in violation of policy, and you become a criminal.
The test is no longer whether you “broke into” a computer, or “stole” information. Any use of a computer in excess of what you have been told you are allowed to do becomes a crime.
Companies need to consider this fact when they establish and disseminate computer use policies. Overly restrictive policies run the genuine risk of subjecting employees to criminal prosecution for activities which we know they engage in every day — like checking sports scores, emailing family members, or other similar “unauthorized” activities.
Of course, nobody would ever be prosecuted for such actions, right?
But if any use of a computer — or telephone, for that matter — is beyond the scope of express or implied authorization, the Wolf precedent makes it punishable.
Therefore, it is important for companies to review their computer and Internet use policies. Make sure that they reflect the genuine risks of improper or inappropriate behavior without creating so restrictive a policy as to subject the CEO to incarceration. That would be a bad thing.”