Georgia Supreme Court Overturns Computer Crime Conviction For Man Who Copied Himself On Emails Sent To His Boss

(Mis)Uses of Technology

from the one-for-you,-one-for-me dept

It’s not just the CFAA that can be abused. This law — recently trimmed a bit by the US Supreme Court — has been abused for years to go after web scrapers, researchers, and information-wants-to-be-free activists. The recent ruling does narrow the scope of that law a bit, but the CFAA still has the potential to do serious damage when wielded carelessly or vengefully.

The state of Georgia has its own set of computer crime laws and they’re just as capable of being interpreted by prosecutors to criminalize acts that shouldn’t be criminal offenses. Fortunately, a state court has made a sensible reading of the law to overturn a conviction for computer trespass — one that saw a former Norcross (GA) city employee hit with felony charges. (h/t Andrew Fleischman)

Jereno Kinslow was a city IT employee who had some problems with his new boss, Greg Cothran. Cothran criticized Kinslow’s work performance, leading to a “loud outburst” from Kinslow. This apparently made Cothran concerned Kinslow might sabotage the city’s network. Certain “safety measures” were put in place and Kinslow was eventually fired.

Before Kinslow was let go, he utilized his administrator-level access to forward copies of emails sent to Cothran to his own personal email account. This was discovered by Cothran months later when he received a bounce notification specifying Kinslow’s email account. This alleged “criminal trespass” formed the basis for charges that resulted in Kinslow being convicted of a felony and sentenced to ten years of probation.

Kinslow challenged his conviction under this statute, claiming prosecutors did not present evidence that he had actually violated the law. The Georgia Supreme Court agrees [PDF] with Kinslow.

OCGA § 16-9-93 (b)(2) defines the offense of computer trespass, in relevant part, as “us[ing] a computer or computer network with knowledge that such use is without authority and with the intention of . . . [o]bstructing, interrupting, or in any way interfering with the use of a computer program or data.” Kinslow was charged with committing computer trespass by “us[ing] a computer network with knowledge that such use was without authority and with the intention of obstructing and interfering with data from a computer, by copying Greg Cothran’s e-mails and causing them to be forwarded to his own private e-mail account.”

The State thus was required to prove that Kinslow used a computer network knowingly without authority with the intention of obstructing or interfering with the use of data.We conclude that the evidence presented at trial was insufficient to prove that Kinslow’s use was done with the intention of obstructing or interfering with the use of data.

The court says the facts don’t fit the charged crime. There was no “obstruction” of data when Kinslow intercepted copies of Cothran’s emails.

Contrary to the State’s suggestion, the State presented no evidence that Kinslow’s e-mail forwarding scheme “blocked” or even “hindered” the flow of data in the form of e-mails to Cothran, who continued to receive those e-mails intended for him. Rather, the evidence showed only that Kinslow’s actions created an additional flow of data to another account.

There you have it: copying is not theft obstruction.

But wait, said the state, maybe it’s an [re-reads statute]… um… “interruption?”

Nope, says the court:

“Interrupt” carries a similar definition of stopping or hindering, although “interrupt” often denotes a more temporary stoppage than “obstruct,” such as “to make a break in the continuity of.” Again, the State presented no evidence that Kinslow’s actions hindered the flow of e-mails to Cothran, either permanently or temporarily.

Making copies also doesn’t “interfere” with the flow of data, the court decides. The flow of data was so unobstructed, uninterrupted, and un-interfered with that Kinslow’s supervisor didn’t even know it was happening until one of the emails bounced.

It’s a short, solid ruling that forces the state to accept the fact that words have meanings, and those meanings cannot be distended to encompass the actions seen here.

The dissent, however, thinks the court should have broadened the law to encompass all sorts of innocuous behavior by using the very loosest definitions of the word “interfere.”

Webster’s New Twentieth Century Dictionary (2d ed. 1983); “to interpose in a way that hinders or impedes: come into collision or be in opposition . . . to enter into or take a part in the concerns of others,” Webster’s Ninth New Collegiate Dictionary (9th ed. 1985); and “to come between so as to be a hindrance or an obstacle . . . to intervene or intrude in the affairs of others; meddle.” The American Heritage Dictionary of the English Language (3d ed. 1992). Black’s Law Dictionary (11th ed. 2019) primarily defines “interfere” as “[t]he act or process of obstructing normal operations or intervening or meddling in the affairs of others.”

So, under these definitions, shoulder-surfing someone else’s Facebook account would be a criminal act. Sure, probably no one would attempt to criminally charge anyone for doing this, but that’s the expansive reading the Chief Justice of this court thinks is correct.

This is a good ruling that clearly delineates what is or isn’t covered by this computer crime law. And while Kinslow’s actions may have been cheap, dishonest, and all-around lousy, they weren’t criminal.

Filed Under: cfaa, computer crime, emails, georgia, greg cothran, hacking, jereno kinslow