Wednesday, 15 March 2006
The Court of Appeals for the Seventh Circuit handed down an interesting judgment on when deleting files might amount to a crime. The plaintiff, IAC, had employed the defendant, Citrin, to identify properties that IAC might want to acquire. It issued him a laptop computer he was to use to record data collected in the course of his employment.
Citrin decided to go into business for himself, and he returned his laptop to IAC — with, apparently, all information on it securely deleted, such that it was irrecoverable. This, IAC suspected, included data that implicated Citrin in breach of his employment contract. IAC brought suit under the Computer Fraud and Abuse Act, but its suit was dismissed for failure to state a case.
The Court of Appeals set aside the decision and ordered that the suit continue, in a typically elegant and brief judgment written by Judge Posner. The relevant provision was 18 U.S.C. § 1030(a)(5)(A)(i), which provides that a person breaches the section when he “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”, where “protected computer” was defined so as to include the laptop that Citrin used.
There was no direct evidence of exactly how Citrin had deleted the information. The judgment proceeds on the basis that some program was downloaded to the laptop, which was then used to wipe the information. On this assumption, the Court held that however the download had been effected, Citrin had breached the wonderfully-numbered sub-sub-sub-subsection.
The Court also held that, in merely accessing the files, Citrin had also breached § 1030(a)(5)(A)(ii), which applies to a person who “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage”, on the basis that his authorisation to access the data terminated once he engaged in self-dealing conduct incompatible with the employment relationship.
Either section, or even subsection (iii) — which is identical to (ii) save for the omission of “recklessly” — might well apply to another possibility, which the Court did not canvass. This was that Citrin might not have downloaded anything to his laptop, but removed its hard drive and accessed it from a different computer. In such a case, there would be an interesting question about whether he was still accessing “a protected computer”, given that he was only accessing part of his laptop — just the hard disk, as nothing was being sent to its CPU, which would likely not have even been powered on.
Section 1030(e) of the Act provides:
“the term “computer” means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device”
The emphasised portion might just be enough to catch a hard disk removed from a computer — as it would tend to defeat the operation of the Act if it did not. If it did, all three subsections would appear to catch even a deletion from another computer, as in each case commands were sent to the hard disk to overwrite the relevant data.
(The case is No. 05-1522, International Airport Centers v. Citrin)
Leave a Reply
Do not post material that is defamatory or obscene, that infringes any third party's copyrights, trademarks or other proprietary rights, or that violates any other right of any other person.
We reserve the right to remove or edit any comment for any reason.
Note: Posting more than two links in a comment may cause it not to appear because it will be submitted for moderation. Also, links in comments will not be counted by Google, so spamming is pointless.