Georgia Supreme Court Overturns Computer Crime Conviction For Man Who Copied Himself On Emails Sent To His Boss
from the one-for-you,-one-for-me dept
It's not just the CFAA that can be abused. This law -- recently trimmed a bit by the US Supreme Court -- has been abused for years to go after web scrapers, researchers, and information-wants-to-be-free activists. The recent ruling does narrow the scope of that law a bit, but the CFAA still has the potential to do serious damage when wielded carelessly or vengefully.
The state of Georgia has its own set of computer crime laws and they're just as capable of being interpreted by prosecutors to criminalize acts that shouldn't be criminal offenses. Fortunately, a state court has made a sensible reading of the law to overturn a conviction for computer trespass -- one that saw a former Norcross (GA) city employee hit with felony charges. (h/t Andrew Fleischman)
Jereno Kinslow was a city IT employee who had some problems with his new boss, Greg Cothran. Cothran criticized Kinslow's work performance, leading to a "loud outburst" from Kinslow. This apparently made Cothran concerned Kinslow might sabotage the city's network. Certain "safety measures" were put in place and Kinslow was eventually fired.
Before Kinslow was let go, he utilized his administrator-level access to forward copies of emails sent to Cothran to his own personal email account. This was discovered by Cothran months later when he received a bounce notification specifying Kinslow's email account. This alleged "criminal trespass" formed the basis for charges that resulted in Kinslow being convicted of a felony and sentenced to ten years of probation.
Kinslow challenged his conviction under this statute, claiming prosecutors did not present evidence that he had actually violated the law. The Georgia Supreme Court agrees [PDF] with Kinslow.
OCGA § 16-9-93 (b)(2) defines the offense of computer trespass, in relevant part, as “us[ing] a computer or computer network with knowledge that such use is without authority and with the intention of . . . [o]bstructing, interrupting, or in any way interfering with the use of a computer program or data.” Kinslow was charged with committing computer trespass by “us[ing] a computer network with knowledge that such use was without authority and with the intention of obstructing and interfering with data from a computer, by copying Greg Cothran’s e-mails and causing them to be forwarded to his own private e-mail account.”
The State thus was required to prove that Kinslow used a computer network knowingly without authority with the intention of obstructing or interfering with the use of data.We conclude that the evidence presented at trial was insufficient to prove that Kinslow’s use was done with the intention of obstructing or interfering with the use of data.
The court says the facts don't fit the charged crime. There was no "obstruction" of data when Kinslow intercepted copies of Cothran's emails.
Contrary to the State’s suggestion, the State presented no evidence that Kinslow’s e-mail forwarding scheme “blocked” or even “hindered” the flow of data in the form of e-mails to Cothran, who continued to receive those e-mails intended for him. Rather, the evidence showed only that Kinslow’s actions created an additional flow of data to another account.
There you have it: copying is not theft obstruction.
But wait, said the state, maybe it's an [re-reads statute]... um… "interruption?"
Nope, says the court:
“Interrupt” carries a similar definition of stopping or hindering, although “interrupt” often denotes a more temporary stoppage than “obstruct,” such as “to make a break in the continuity of.” Again, the State presented no evidence that Kinslow’s actions hindered the flow of e-mails to Cothran, either permanently or temporarily.
Making copies also doesn't "interfere" with the flow of data, the court decides. The flow of data was so unobstructed, uninterrupted, and un-interfered with that Kinslow's supervisor didn't even know it was happening until one of the emails bounced.
It's a short, solid ruling that forces the state to accept the fact that words have meanings, and those meanings cannot be distended to encompass the actions seen here.
The dissent, however, thinks the court should have broadened the law to encompass all sorts of innocuous behavior by using the very loosest definitions of the word "interfere."
Webster’s New Twentieth Century Dictionary (2d ed. 1983); “to interpose in a way that hinders or impedes: come into collision or be in opposition . . . to enter into or take a part in the concerns of others,” Webster’s Ninth New Collegiate Dictionary (9th ed. 1985); and “to come between so as to be a hindrance or an obstacle . . . to intervene or intrude in the affairs of others; meddle.” The American Heritage Dictionary of the English Language (3d ed. 1992). Black’s Law Dictionary (11th ed. 2019) primarily defines “interfere” as “[t]he act or process of obstructing normal operations or intervening or meddling in the affairs of others.”
So, under these definitions, shoulder-surfing someone else's Facebook account would be a criminal act. Sure, probably no one would attempt to criminally charge anyone for doing this, but that's the expansive reading the Chief Justice of this court thinks is correct.
This is a good ruling that clearly delineates what is or isn't covered by this computer crime law. And while Kinslow's actions may have been cheap, dishonest, and all-around lousy, they weren't criminal.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, computer crime, emails, georgia, greg cothran, hacking, jereno kinslow
Reader Comments
Subscribe: RSS
View by: Time | Thread
"defines “interfere” as “[t]he act or process of obstructing normal operations or intervening or meddling in the affairs of others.”"
So does that mean Greg can be sued since he used a computer to obstruct the normal operations of Jereno, by meddling & intervening in the affairs of others??
"the City’s computer network settings had been altered by checking a box"
A Y F K M??
[ link to this | view in chronology ]
Re:
using BCC as interference
[ link to this | view in chronology ]
I have to wonder if the Third Party Doctrine could be applied, in this case. Shouldn't it go both ways?
[ link to this | view in chronology ]
I wonder why we don't see any quotes from Kinslow as to why took this action. My bet would be that he was watching to see if Cothran was going to bad-mouth him to others within the department, or possibly to a prospective new employer. The fact that Kinslow didn't initiate any lawsuit after several months tells me that Cothran didn't do so, and he clossed the email account.
[ link to this | view in chronology ]
This sentence and the headline are quite misleading, and make it sound like maybe he just stuck his personal address in the BCC field—which may violate confidentiality, but isn't especially sinister and doesn't usually require special access. What actually happened is that he set up a forwarding rule such that all emails sent to the boss, by anyone, would be sent to his personal account: "The City [...] discovered that the [...] settings had been altered [...] to cause Cothran’s incoming e-mail messages to be copied and forwarded to Kinslow’s personal [...] account. [...] This forwarding continued until it was discovered [...], two months after Kinslow’s termination."
[ link to this | view in chronology ]
Hmmm
Creating a forwarding rule for ALL of your boss's emails (heck anyone in a company) seems like a mighty evil trespass and nefarious deed. That's basically espionage. Seems like it ought to be punishable somehow someway.
I'd sure like to have BCC of every email Bill Gates/Black Turtleneck and the CEO at your local biotech company send/sent. Probably be rather profitable.....
[ link to this | view in chronology ]
Re: Hmmm
Probably a bad thing to do, especially in what we call the ``real world''. But in the rarified atmosphere of government, all that stuff is, or ought to be, public records. It is the public's business being carried out, by the public's paid servants.
So, while the defendant appears to have done everything wrong, and clumsily, condemnation may be unduly harsh on these facts.
[ link to this | view in chronology ]
Looks like they had no confidentiality policy in place with established fines... and resorted to anything they could find to punish the guy. Their legals are two times bad.
[ link to this | view in chronology ]