Tag Archives: access

ACLU challenges NSA surveillance

On June 11th, the ACLU filed a lawsuit challenging the NSA’s surveillance program.  The ACLU lawsuit alleges that the program violates the First Amendment rights or free speech and association, the right to privacy under the Fourth Amendment, and that the surveillance program exceeds the authority provided by the Patriot Act.

ACLU, a customer of Verizon, made the following comments:

This dragnet program is surely one of the largest surveillance efforts ever launched by a democratic government against its own citizens.

It is the equivalent of requiring every American to file a daily report with the government of every location they visited, every person they talked to on the phone, the time of each call, and the length of every conversation.  The program goes far beyond even the permissible limits set by the Patriot Act and represents a gross infringement of the freedom of association and the right to privacy.

The complaint can be accessed here.

via ACLU Files Lawsuit Challenging Constitutionality of NSA Phone Spying Program | American Civil Liberties Union.

Leave a comment

Filed under civil rights, electronic discovery, federal, Privacy Rights

Proposed “Cloud Computing Act of 2012”

Sen. Amy Klobuchar has introduced a new bill, the “Cloud Computing Act of 2012” (S.3569), that purports to “improve the enforcement of criminal and civil law with respect to cloud computing.”

The Cloud Computing Act seeks to amend 18 USC 1030 by purporting:

  • It is a separate offense to have unauthorized access (including exceeding the authorized access) to a cloud computing account, or even conspiring to have unauthorized access.
  • Defining “cloud computing account” as “information stored on a cloud computing service that requires a password or similar information to access and is attributable to an individual”
  • Defining “cloud computing service” as a service that “enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.”
  • The losses are (1) the value of the loss of use, information, or aggregated loss to 1 or more persons; or (2) the product obtained by multiplying the number of cloud computing accounts accessed by $500.”

As a reminder, 18 USC 1030, a person who acts or conspires to act in violation of the Act is to be

  • (1) fined or imprisoned for not more than 10 years or both, when the conviction does not occur after another offense under the section; or
  • (2) fined or imprisoned for not more than 20 years or both, when the conviction occurs after another offense

 

The problems with this proposed bill are alarming due to the vagueness of the definitions.  In employment, I can see this Act (if it goes through) being used against employees.

For example, say if your authorized access is limited to “work” use.  If an employee uses the computer network to go to a social network, how would this pan out?  The employee, in this case, uses a password to get into the network of the employer.

Or say that authorized access is limited to using email for work purposes only.  What if the employee sends a personal email or an email to an attorney using the work email?  The email account is, after all, protected by a password and it is in the alleged protected network of the employer.

Or say that authorized access is limited to accessing the email at work.  Yet, the employee and other employees, and say even management, use their smartphones to keep up with work.

I can see potential issues in employment law, where the situation does not arise out of the purported intent of the Act.  None of these cases involve a person getting into a network or service to steal information.  None of these cases involve a disgruntled employee accessing information they are not supposed to have access to.

It is my guess that if the Act gets through, there will be a need for a lot of updates on employee policies, manuals, and trainings.

3 Comments

Filed under Pending Legislation, technology

Computer Use At Work

Employers usually have computer usage policies, which detail that employees can only use computers for work-related purposes.  In other words, employees cannot access social networking websites or other unrelated websites.  In my practice, I have observed employers monitor and track employees’ computer usage.

A new wrinkle to the computer usage scenario has popped into the Circuit courts.  United States v. Nosal, 10-cv-10038 (9th Cir. 2012), examined the issue of criminalization of improper computer usage by an employee.  The issues presented at the court where as follows:

Does an employee who violates such a policy commit a federal crime?  How about someone who violates the terms of service of a social networking website?

In summary, the Ninth Circuit held that under a strict scrutiny read of the Computer Fraud and Abuse Act, 18 USC 1030, Congress did not intend to criminalize computer use exceeding authorized access.  The Ninth Circuit agreed with the district court that “[t]here is simply no way to read [the definition of ‘exceeds authorized access’] to incorporate corporate policies governing the use of information.”  In other words, the CFAA, the anti-hacking statute, is not an expansive misappropriation statute.

Leave a comment

Filed under civil rights, employment