Unauthorized Use of Computer
We represent people accused of gaining unauthorized access to computers throughout the state of Massachusetts and in federal courts.Federal Law
The federal Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030) prohibits (1) accessing a computer without authorization or exceeding one’s authorization and thereby accessing information the U.S. government has deemed needs to be protected against unauthorized disclosure; and (2) intentionally accessing a computer or intentionally exceeding authorization and thereby accessing financial information, information from any department or agency of the U.S. government, or information from any “protected computer.” While this statute appears to limit the computers to which it applies, in reality “protected computer” is defined by the law to be any “electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device” that “is used in or affecting interstate or foreign commerce or communication.” In other words, the term “protected computer” covers any computer, tablet, or smartphone that is connected to the internet.
In addition to prohibiting unauthorized access of a computer, the CFAA prohibits: computer espionage, trespassing on a government computer, committing fraud using a computer, damaging a protected computer (such as with viruses and worms), trafficking in passwords of a government or commerce computer, and threatening to damage a computer.
The Federal Stored Communications Act (SCA) (18 U.S.C. § 2701 et seq.), passed in 1986, prohibits “intentionally access[ing] without authorization a facility through which an electronic communication service is provided; or intentionally exceed[ing] an authorization to access that facility” and thereby obtaining access to electronic communications in electronic storage. The federal circuit courts have split as to whether accessing someone else’s cloud-based email account violates the SCA, and neither the Supreme Court nor the First Circuit Court of Appeals has addressed the issue, leaving it an open question as to whether if someone in Massachusetts logs in to another person’s cloud-based account without authorization they will be found to have violated this federal law.State Law
Massachusetts General Laws chapter 266, § 120F makes it a crime to access a computer system without authorization, or to remain accessing a computer system after knowing that the access is unauthorized. This statute may cover actions such as: logging in to someone else’s computer without permission, sending or reviewing emails in someone else’s email account, and creating unauthorized online accounts. It is important to note that the term “computer system” does not just mean the computer of another person; accessing someone’s internet accounts, such as email, even if from your own computer may be prosecuted as a violation of this statute.
What does the prosecution have to show in order to prove a violation of this statute? The prosecutor must show (1) that you accessed a computer system; (2) that you knew the computer system required authorization; and (3) and that you knew you did not have that authorization. The law explicitly states that “the requirement of a password or authentication to gain access” puts a person on notice that the computer system requires authorization.
The Massachusetts courts have not had much cause to examine and interpret this law, meaning it is not clear in what situations it might apply. One of the few cases to address this law made clear that while looking at multiple web pages or documents during one unauthorized login is not grounds for multiple charges of violation of this section, repeated unauthorized logins to the same computer system can give rise to multiple charges of unauthorized computer use.
Other than that holding by the Massachusetts Appeals Court, the scope of the law’s application has yet to be defined. One superior court found that although the statute does not define the word “access,” that term was clear enough in the law to withstand constitutional challenge. This decision was unpublished and is not binding on other courts in Massachusetts. The law similarly does not define the term “computer system,” and the relevant federal laws do not use this term, leaving room for defendants to challenge prosecutions for actions other than simply logging in to someone else’s computer. While we have seen the police bring these charges against people for accessing, for example, someone else’s email accounts, it is not clear that an email account is a “computer system” under the law. The law was passed in 1994, and likely did not contemplate the various electronic systems people routinely use today. For example, courts do not yet appear to have taken up the question of whether accessing another person’s smartphone constitutes a violation of this statute, i.e. whether a smartphone is a “computer system.” These are some of the areas we explore in defending our clients against charges of unauthorized use of a computer.
If you have been charged with unauthorized access of a computer system, contact one of our attorneys at (617) 742-6020.