About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Need assistance? Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases.
Marcus v. Rogers, 2012 WL 2428046 (N.J.Super.A.D. June 28, 2012)
The answer to that question may depend on whether you knowingly exceed your authorization. A New Jersey court recently held that a defendant was within the bounds of the law when he accessed and printed a co-worker’s personal email after the coworker left the computer without signing out of her account.
One morning when defendant, a teacher, sat down in the computer room of the school where he worked to check his email, he bumped the mouse of the computer next to him when he sat his drink down. That stopped the screen saver on the other machine, revealing the inbox of a coworker’s Yahoo account. Defendant saw that some of the emails’ subjects mentioned him, so he clicked on them, printed them out, and later used them at an adminstrative meeting to further some points in a work dispute.
The coworkers whose email communications defendant had accessed in this way sued him for violation of New Jersey’s equivalent of the Stored Communications Act (N.J.S.A. 2A:156A–27). The plaintiffs moved for summary judgment on their claim, but the court let the question go to the jury. That jury found defendant had not violated the statute.
Plaintiffs appealed the denial of their motion for summary judgment. On appeal, the court affirmed, holding that the jury properly got the question to consider.
Under the New Jersey statute, a plaintiff has a cause of action if, among other things, another person knowingly:
- accesses without authorization a facility through which an electronic communication service is provided, or
- exceeds an authorization to access that facility
The court briefly discussed whether the term knowingly applies both to “access without authorization” and “exceeds an authorization”. It held that it does.
Then the court went on to evaluate whether the jury should have gotten the question in the first place.
The court held that as a matter of law, defendant did not access the email account without authorization. Because the “index to the inbox” of the co-worker’s Yahoo account was displayed on the screen when the coworker left the computer, defendant did not access the “facility” without authorization. The accessing of the facility had been accomplished by coworker. There was no evidence of hacking or other unauthorized access to her account.
As for whether defendent exceeded his authorized access, the court held that the lower court properly submitted the question to the jury. The court held that the facts could not preclude a jury finding that defendant did not exceed his authorized access. Indeed, six of the seven deliberating jurors found that defendant had not exceeded his authorization. And all of the jurors found that the coworker had provided “tacit authorization” for him to access the account. (The case does not specify what that evidence of tacit authorization was.)
So the jury’s finding that defendant did not exceed his authorized access stood.
An obvious pro-tip from the case is to remember to log out of shared computers. But the decision is potentially relevant to contexts other than email accounts on desktop computers. Does a person who finds another’s mobile device have the right to rummage through all the accounts (e.g., social media, email, dating sites) that the phone’s owner is logged into? This case underscores that the answer will be, frustratingly, “it depends.” It’s best to put some facts into play — like even the simple requirement of a 4-digit password — to establish contours for authorization which, when exceeded, are clear.
July 4, 2012
Good coverage. Just found you linked from BoingBoing.net.
I think this guy clearly crossed an ethical line and was being a dick. That’s not illegal though. Your analogy at the end doesn’t hold up. My phone is my personal property where a public computer in a lab isn’t. The key difference is the defendant here had every right to be using that machine. The decent thing to do would have been to log off the other person.
July 4, 2012
If Marcus had simply locked the workstation, which would have required Rogers to put in a password, then there is no controversy, as if Marcus had logged out. If Rogers had to do any action such as login, unlock, or use some sort of password or device to access the account then Rogers would be in violation of the law. Was Rogers a slime for looking at Marcus’ account because Marcus forgot to log out or lock the screen, yes. Was Marcus fully negligent, and therefore culpable, of allowing third party access to the account, yes. It is similar to an “attractive nuisance.”
Where I work it is required that if you leave your computer, you must log out or lock it. Failing to secure your station makes you liable for it.
Computer, workstation, smartphone; dosn’t matter, password protect it, set a time-out.
July 4, 2012
Additionally… Marcus left her account open and accessible on a “public” computer, usable by anyone who happens by. This was not a personal or private device in a private office or space.
July 5, 2012
I might have gone with looking at the index of emails did not exceed authorization, but clicking on the email to see the individual contents may have crossed the line.