We’ve said it before and we’ll say it again: violating a computer use restriction is not a crime. That’s why today EFF filed an amicus brief urging the Oregon Supreme Court to review a troubling opinion by the Oregon Court of Appeals in State v. Nascimento, finding an employee committed a computer crime for violating her employer’s computer use restrictions. 

Caryn Nascimento worked as a cashier at the deli counter of a convenience store. As part of her job, she was authorized to access a lottery terminal in the store to sell and validate lottery tickets for paying customers. Store policy prohibited employees from purchasing lottery tickets for themselves or validating their own lottery tickets while on duty. After a store manager noticed a discrepancy in the receipts from the lottery terminal, it was discovered that Nascimento had printed lottery tickets for herself without paying for them. She was ultimately convicted not only of first-degree theft, but also of computer crime on the ground that she accessed the lottery terminal “without authorization.”

Nascimento appealed the computer crime conviction. She argued that because she had permission to access the lottery terminal as part of her work duties, she did not access the terminal without authorization—as required under the Oregon's computer crime statute. Unfortunately, the Oregon Court of Appeals affirmed Nascimento’s conviction, finding she had only “limited authorization” to access the lottery terminal for purposes of printing and validating lottery tickets for paying customers, and acted without authorization when she printed them for herself.

Nascimento filed a petition for review, asking the Oregon Supreme Court to review the decision and we filed an amicus brief in support of her petition. As we explain to the Oregon Supreme Court, review is necessary because the Court of Appeals’ decision transforms millions of unsuspecting individuals into criminals on the basis of innocuous, everyday behavior—such as checking personal email or playing solitaire on a work computer. Such restrictions, frequently included in employers’ computer policies, are no different than the restriction imposed on Nascimento. They're ultimately all computer use, not access, restrictions. Upholding Nascimento’s conviction on the basis of a violation of a computer use restriction expands Oregon’s computer crime statute to criminalize violations of any computer use restriction. Two federal courts of appeal—the Fourth and Ninth Circuits—have explicitly rejected an expansive interpretation of parallel language in the federal computer crime statute, the Computer Fraud and Abuse Act (“CFAA”), for precisely this concern about turning millions of innocent people into criminals.

This case is dangerous because it gives employers—and website owners—the power to make behavior illegal just by stating in a written computer use policy that it’s not allowed. For example, a worker could be prosecuted for reading personal email or checking the score of a baseball game if her employer’s policy says that company computers may be used only for work-related purposes. Or, because Facebook’s terms of use prohibit users from providing false person information, a Facebook user could be prosecuted for shaving a few years off her age in her profile.

We hope the Oregon Supreme Court recognizes the dangers of such an expansive interpretation of the state's computer crime statute, and grants Nascimento’s petition for review.

Special thanks to our local counsel, J. Ashlee Albies of Creighton & Rose, PC in Portland, Oregon.