Tuesday, May 12, 2009

Go to jail and don't collect your pay: In Ohio, visitng "adult sites" at work is defined as "hacking"


Scott Lowe has an important entry in the Tech Republic blog today, “visit an adult site at work and go to prison,” link here.

A man named Richard Wolf was convicted of “hacking” in Ohio when he visited the “Adult Friend Finder” website at a municipal workplace, in Shelbyville Ohio, with another story here, by John Sawyer, on the “Darkreading” blog here. Apparently a local supervisor found a nude adult picture on a work computer, and called police as well as firing him.

The Ohio statute RC 2913.04 (link on Law Writer) reads:
“(A) No person shall knowingly use or operate the property of another without the consent of the owner or person authorized to give consent.
“(B) No person, in any manner and by any means, including, but not limited to, computer hacking, shall knowingly gain access to, attempt to gain access to, or cause access to be gained to any computer, computer system, computer network, cable service, cable system, telecommunications device, telecommunications service, or information service without the consent of, or beyond the scope of the express or implied consent of, the owner of the computer, computer system, computer network, cable service, cable system, telecommunications device, telecommunications service, or information service or other person authorized to give consent”.
The law was designed to provide criminal penalties for those who illegally access and/or misuse consumer information from work computers. To that extent, these laws are common everywhere. For example, the Census Bureau can prosecute employees for misusing information acquired in a census, and I believe that the same is true for IRS employees. The state law here defines using a workplace computer in a manner beyond the scope of intended use as “hacking.” But generally, these laws have not in the past been interpreted as considering viewing adult pornography as “hacking.” Viewing or downloading pornography has simply been an HR issue resulting in discipline or termination.

When I worked for Chilton Credit Reporting back in the 1980s in Dallas in a mainframe environment, there was a very strict policy about using computer resources for personal purposes, even course work. Employees were told not to leave themselves signed on when away from desks. One person was fired in 1982, shortly after I had started there, for tampering with credit reports. The mainframe logon screen greeted the worker with a statement of the Texas computer crimes law passed in 1985.
Workers should consider this case before feeling too innocent about accessing inappropriate material at work.

It is possible to access inappropriate material because of deliberately deceiving or “ironic” domain names, like "whitehouse.com" and "nightcall.com" (at least in the past). Workplaces should use Site Advisors (like McAfee or Web of Trust) to intercept inappropriate sites, that could be entered by mistyping.

No comments: