Slashdot Mirror

← Back to Stories (view on slashdot.org)

Clerk Printed Lottery Tickets She Didn't Pay For But Didn't Break Hacking Law (arstechnica.com)

Posted by msmash on from the setting-the-records-straight dept.

Violating a company rule is not -- and should not be -- a computer crime, that was the ruling of the Oregon Supreme Court in State v. Nascimento file. The Oregon's highest court ruled that while a convenience store clerk was guilty of stealing lottery tickets through the store's computer system, she did not violate the state's anti-hacking law while doing so. ArsTechnica shares more details: The Electronic Frontier Foundation, which appeared on Caryn Nascimento's behalf during the case as an amicus curae (friend of the court), announced the narrow victory on Tuesday. According to the Supreme Court's decision, the case dates back to 2007, when Nascimento began working at Tiger Mart, a small convenience store in Madras, Oregon, about 120 miles southeast of Portland. In late 2008 and early 2009, a company vice president began investigating what appeared to be cash shortages at that store, sometimes about $1,000 per day. After reviewing video recordings that correlated with Nascimento's work schedule, this executive began to suspect that she was buying lottery tickets but not paying for them. Eventually, Nascimento was charged not only with aggravated first-degree theft but also of violating the state's computer crime law, which includes language that "any person who knowingly and without authorization uses, accesses or attempts to access any computer, computer system, computer network, or any computer software, program, documentation or data contained in such computer, computer system or computer network, commits computer crime." She was convicted on both charges at trial. On appeal before the Oregon Supreme Court, Nascimento's lawyers argued that while their client may have violated a company policy to not print lottery tickets that she did not receive payment for, she was, in fact, authorized to access the lottery printing computer.

110 comments

  1. Typical abusive prosecution by gurps_npc · · Score: 5, Interesting

    Look, when someone breaks the law, punish them for what they did, not things that are SIMILAR to what they did.

    --
    excitingthingstodo.blogspot.com
    1. Re:Typical abusive prosecution by Anonymous Coward · · Score: 0

      How similar are "Gross Negligence" and "Extreme Carelessness"?

    2. Re:Typical abusive prosecution by __aaclcg7560 · · Score: 2

      How similar are "Gross Negligence" and "Extreme Carelessness"?

      Without "Criminal Intent" you have no criminal case.

    3. Re:Typical abusive prosecution by gweihir · · Score: 3, Interesting

      Naaa, In a police-state you always prosecute people to the maximum possible, no matter how stupid and unjust. After all, you have to send a message to the population who the masters are! Were would we be if the serfs could just break the law and get away with anything below a life-sentence for it.

      On a completely unrelated thought, that this even needs a court decision shows how very badly out of control the US "legal" system is these days.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Typical abusive prosecution by un1nsp1red · · Score: 1

      Naaa, In a police-state you always prosecute people to the maximum possible, no matter how stupid and unjust. After all, you have to send a message to the population who the masters are!

      It's not a police-state problem, it's a for-profit prison system problem. Gotta pay those lobbyists to push for harsher sentencing laws.

    5. Re:Typical abusive prosecution by Anonymous Coward · · Score: 0

      Look, when someone breaks the law, punish them for what they did, not things that are SIMILAR to what they did.

      She's lucky they didn't convict her for wire fraud, which is the federal offense they typically tack on to cases involving a computer, telephone or the internet. Punishable up to 30 years...

    6. Re:Typical abusive prosecution by Cederic · · Score: 1

      Oh, excellent. So I can drive around with my eyes shut as a test of my ability to use sonar from within my car, and because I'm not intending to break any laws I'm immune from prosecution should some idiot walk in front of me?

      Nice to hear.

      Hopefully the idiot will be you, so that you can learn the difference between gross negligence and criminal intent.

    7. Re:Typical abusive prosecution by Anonymous Coward · · Score: 0

      798(f) requires does not require intent.

    8. Re:Typical abusive prosecution by gweihir · · Score: 1

      These go hand-in-hand.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re:Typical abusive prosecution by __aaclcg7560 · · Score: 2

      Hopefully the idiot will be you so that you can learn the difference between gross negligence and criminal intent.

      I have notified my attorney that you have threatened my life. If I should get run over in the near future, my attorney will have no problem persuading the authorities of your criminal intent. Expect to get the death penalty.

    10. Re:Typical abusive prosecution by Darinbob · · Score: 1

      Prosecutors are in love with piling on extra extra charges. It's a shotgun approach. If one charge gets remove maybe other ones will stick. It's also done as a way to pile on the maximum sentence and then intimidate the defendant into a plea bargain. Unauthorized computer access, hate crime, using a gun will committing a robber, being under the influence of drugs while committing a robbery, under the influence of drugs and using a gun while committing a hate crime on a computer, etc.

      It's also due in part from legistlators who feel they must keep adding new laws to prove that they're tough on crime and not like those other pansy legislators.

    11. Re: Typical abusive prosecution by iivel · · Score: 2

      Stop listening to whatever conspiracy news source you have. The Supreme Court cleared this up in 1941 (Gorin v United States). Intent to benefit a foreign power is, in fact, a requirement under that statute. You can read a really simple summay here: http://warontherocks.com/2016/...

    12. Re:Typical abusive prosecution by Aighearach · · Score: 1

      Very few prisoners in Oregon are in private institutions, so probably not.

      You gotta know your head from a hole in the ground before you can decide who the "masters" are, unless you're just going to point in the shadows all the time.

      This is a typical case for Oregon. Our cops and prosecutors suck the same as everywhere, but we have pretty good laws and pretty good courts.

    13. Re:Typical abusive prosecution by Aighearach · · Score: 2

      You have to use an interstate system for that. This is a State lottery system; you can't buy tickets outside the State at all. And it has to be fraud to be wire fraud; she didn't do anything fraudulent, she simply didn't pay for items (lottery tickets) that she took. She didn't lie or misrepresent anything to gain access to the system; she was a real employee.

      The Court ruled here that because as an employee she was authorized to use the lottery machine, they can't accuse her of unauthorized use of the machine; the law doesn't establish gray areas of partial authorization, it only punishes use of a computer system that was not authorized. Clearly, misuse while authorized is still authorized use, even if it violates laws related to paying for things you walk out of a store with.

    14. Re: Typical abusive prosecution by Iamthecheese · · Score: 1

      So charge her under whatever law was used against Nishimura.

      --
      If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
    15. Re:Typical abusive prosecution by mysidia · · Score: 3, Interesting

      What we need to do is stipulate a rule: If the defendant is proven not-guilty of any one of the charges presented,
      then they are automatically released of all charges related to their chain actions that some have been deemed criminal.

      Afford the defendant the CHOICE regarding which charge or charge(s) will be decided upon first, and in what order for the subsequent ones.

      Any further charge for the same chain of actions would be double jeopardy.

      So if one of the charges is bogus, the Defendant will have that charge heard first, and once found innocent, be cleared of all the others.

      That should encourage prosecutors to only charge the offense for a certain series of actions that they actually have evidence for, And only make the high-quality charges, not specious or dubious ones "To hope something sticks"

    16. Re:Typical abusive prosecution by Archfeld · · Score: 1

      So if a prosecutor tries for 1st degree murder and fails to prove premeditation the murderer should go free ? That logic leaves a lot to be desired in reality.

      --
      errr....umm...*whooosh* *whoosh* Is this thing on ?
    17. Re:Typical abusive prosecution by Anonymous Coward · · Score: 0

      Oh, excellent. So I can drive around with my eyes shut as a test of my ability to use sonar from within my car, and because I'm not intending to break any laws I'm immune from prosecution should some idiot walk in front of me?

      Nice to hear.

      Hopefully the idiot will be you, so that you can learn the difference between gross negligence and criminal intent.

      You need to grow the fuck up.

      Didn't expect to have to say that to a poster with such a low uid, but it does prove that age is far from the only factor involved in growing up.

      You are not a grownup. You may be old, but your mentality is in this case similar to a child of ten.

      Again: Grow the fuck up.

    18. Re:Typical abusive prosecution by Anonymous Coward · · Score: 0

      The USAIan legal system is so Byzantine that a good legal case can be made for everyone in the USA being guilty of violating all the laws all the time. The legal system is designed to cover every aspect of everyone's life from beginning to end. It also contradicts itself. This is why have courts. Lady Justice is blind. She judges cases not based on color of skin or occupation. She just weighs which side has the most gold. The party that is guilty of not having enough gold to tip the scales of justice goes to jail for many many years.

      Yet we can not have anarchy, so we say that ignorance of the law is no excuse for violating it. Yet no single legal expert is actually able to say exactly how many laws the USA has. The only solution is the get really really rich. That way you can hire the best lawyers, and the scales of justice will always tip in your favor.

       

    19. Re:Typical abusive prosecution by Anonymous Coward · · Score: 0

      You have to use an interstate system for that. This is a State lottery system; you can't buy tickets outside the State at all.

      If her ticketing machine accessed a central server over the internet, that would be enough, no need for the data actually going to a different state.

      And it has to be fraud to be wire fraud

      That's probably what saved her bacon. But just a technicality like using a throwaway email account (and thereby "impersonating" someone else) could have made it fraud.
      The wire fraud laws are very vague and come with huge penalties. Just making a phone call or using Facebook during the course of a crime can add 30 years to your sentence.
      Luckily some judges still have common sense.

    20. Re:Typical abusive prosecution by tigersha · · Score: 1

      Weirdly, in a way, you also just threatened him with his life, so he can call his lawyers and do the same. Which will result in an infinite stack of recursive life-threat-lawyer-enriching legal nightmare.

      What a way to crash the legal system!

      --
      The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
    21. Re:Typical abusive prosecution by AmiMoJo · · Score: 1

      I like this idea, it will stop prosecutors throwing in things like sexual assault and child pornography charges as a way of painting the defendant as some kind of monster and piling up the potential years on them as a way to pressure them into taking a plea deal.

      The only down side I can see is that juries might be tempted to convict people of things they didn't do in order to get the them convicted of other things they did. Say there was an accused rape-murder, but it turns out it was just some consensual sex gone wrong. Might still be manslaughter (or I think 3rd degree murder in the US, I'm not sure of the terminology) but unless the jury finds them guilty of the rape too the whole thing collapses.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    22. Re:Typical abusive prosecution by Cederic · · Score: 1

      Oh dear. Did reductio ad absurdum completely pass you by?

    23. Re:Typical abusive prosecution by Anonymous Coward · · Score: 0

      These are US right? So why did they not execute her on the spot - I think that is a valid procedure and cost effective it is too!

    24. Re:Typical abusive prosecution by Anonymous Coward · · Score: 0

      Would it not be enough to have an account somewhere like FB or whatever was available at the time? Or her mobile phone was registered in some network so even if she was not using it at the time she was communicating possibly outside the state. I guess you just have to be inventive as a public prosecutor and creatively apply the laws of the land. With enough laws you may need an AI digging trough it to find the laws you broke today citizen. Maybe you should consider self-registration in reeducation center outside city limits?

    25. Re:Typical abusive prosecution by Anonymous Coward · · Score: 0

      If the prosecutor was aware there was a chance they couldn't prove premeditation then they shouldn't have gone for 1st degree murder, they should have gone for manslaughter (which you Americans still call murder for some reason, even though murder literally means premeditated killing).

    26. Re:Typical abusive prosecution by operagost · · Score: 1

      Just like patent trolls taking prior art and appending "on a computer", the justice system now takes old laws and appends "on a computer".

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    27. Re:Typical abusive prosecution by __aaclcg7560 · · Score: 1

      Weirdly, in a way, you also just threatened him with his life, so he can call his lawyers and do the same.

      I did not threaten his life. I just told him of the legal consequences of his actions if he follows through on his threat on my life. The punishment for premeditated murder in some states is the death penalty. His attorney should instruct him not to make death threats on the Internet.

    28. Re: Typical abusive prosecution by __aaclcg7560 · · Score: 2

      So charge her under whatever law was used against Nishimura.

      Not applicable.

      http://mediamatters.org/research/2016/07/06/right-wing-media-run-another-baseless-comparison-clinton-emails/211379

    29. Re:Typical abusive prosecution by Anonymous Coward · · Score: 0

      Holy fuck, AmiMoJo admitting that sometimes people accused of sexual assault haven't actually sexually assaulted one of your cisfemale hunnies? Did somebody hack your account?

    30. Re: Typical abusive prosecution by david_thornley · · Score: 3, Informative

      The cases are not comparable. Nishimura deliberately put classified material on his personal systems. Clinton had insufficient safeguards against classified material being on her systems. There's a difference in intent here, which is why Nishimura was prosecuted and Clinton wasn't. I'm not saying what's legal or illegal here, just that nobody's found me a case like Clinton's where there was criminal prosecution.

      (Intent, in US law, in general means intent to commit an act that is illegal. Nishimura had intent in putting classified material on his systems. Clinton did not.)

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    31. Re:Typical abusive prosecution by david_thornley · · Score: 1

      It's a matter of an unclear law. I'd bet you could find unclear and badly written laws anywhere.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  2. $1,000 a DAY was missing? by FlyHelicopters · · Score: 2

    And someone just "investigated"?

    Was the boss asleep? Whenever I've worked retail, a report was required for more than $20 missing from a cash drawer...

    $1,000 would have been unthinkable!

    1. Re:$1,000 a DAY was missing? by Marxist+Hacker+42 · · Score: 1

      was really just a couple of weeks before somebody investigated. Things are a bit looser in small towns than in the big city. Still, it took 7 years for the case to wind its way up to the Oregon Supreme Court. Would have been faster if she had been a lesbian.

      --
      SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
    2. Re:$1,000 a DAY was missing? by gmack · · Score: 4, Informative

      The money wouldn't have been missing from the cash register. It would have shown up when the store gets it's bill from the lottery company for purchased tickets that were never actually purchased.

    3. Re: $1,000 a DAY was missing? by ShaunC · · Score: 5, Informative

      But she is authorized to use the register. I don't see why she can't take all the money and claim the same defense she used here.

      Because it's still aggravated first-degree theft even if you're authorized to use the register. She stole, and was convicted for stealing. There's no need for any more charges to be piled on.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    4. Re: $1,000 a DAY was missing? by Qzukk · · Score: 1

      I don't see why she can't take all the money and claim the same defense she used here.

      She can't. She's still guilty of theft, so this defense doesn't work on theft. It only works on being accused of using a computer without authorization when you steal lottery tickets you're authorized to print.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    5. Re: $1,000 a DAY was missing? by JeffAtl · · Score: 2

      I think the point is that she is guilty of theft and/or embezzlement and should be punished for that. The fact that a computer or cell phone was used shouldn't matter.

      The spirit of the computer crime laws are supposed to apply to breaking into systems.

    6. Re:$1,000 a DAY was missing? by pinkfalcon · · Score: 1

      It would have shown as a sale on the daily receipts to the lotto company, but the cash for the sales would not have been in the cash drawer - hence it was 'missing'.

      My question is, how long did she think she could get away with it? Maybe she was hoping she could hit it big and disappear before she was caught? But then she would have had to collect the money from the same employer she was stealing from....

      --
      Real SUV's don't have cupholders
      It's 5:42 A.M., do you know where your stack pointer is?
    7. Re: $1,000 a DAY was missing? by Anonymous Coward · · Score: 0

      Look it's one thing to be stupid. But you, you're being stupid ... while using a computer. It another whole level of stupidity!

    8. Re: $1,000 a DAY was missing? by Anonymous Coward · · Score: 0

      But why not try to get her for terrorism and murder?

    9. Re: $1,000 a DAY was missing? by turbidostato · · Score: 1

      "But she is authorized to use the register. I don't see why she can't take all the money and claim the same defense she used here."

      She can and she should win on that charge. How in hell does taking all the money from the register she was allowed -and even commanded, to operate, make into a "hacking" case?

    10. Re: $1,000 a DAY was missing? by gnasher719 · · Score: 1

      She can't. She's still guilty of theft, so this defense doesn't work on theft. It only works on being accused of using a computer without authorization when you steal lottery tickets you're authorized to print.

      So if I, as a customer, sneaked into the store and printed thousand lottery tickets without paying, _that_ would be theft _and_ computer hacking because I was not authorized to print tickets. In her case, because she was authorized to print the ticket, it's only theft.

    11. Re: $1,000 a DAY was missing? by Anonymous Coward · · Score: 0

      If she steal from the cash register, it is theft but not a break-in (she had access and merely betrayed the trust.) If I kick in the door and break open the cash register, then it is both theft and a break-in.

      Similiar when a computer is used. She was entrusted to access the computer, so she did not hack. She merely abused that trust to steal lottery tickets. If I guess her password and prints some lottery tickets for myself, then it is both theft and hacking.

      So she stole from her employer - standard punishment for stealing plus loss of job. But no hacking.

    12. Re: $1,000 a DAY was missing? by Darinbob · · Score: 1

      She stole money, that's it. She used the lottery computer to do so, but that's just a consequence of committing the crime, it should not be an additional crime. That's like tacking on an extra charge that said she put the tickets in her pocket without permission. The defense she gave was only for the tacked on charge of using a computer without authorization, she was still guilty of the original charge so it's hardly a "defense".

    13. Re: $1,000 a DAY was missing? by Darinbob · · Score: 1

      And of course whoever wrote the whole computer-without-authorization bill almost certainly intended it to be used for stereotypical hacking cases, almost certainly how it was presented to other legislators when it was voted on.

    14. Re: $1,000 a DAY was missing? by Darinbob · · Score: 1

      Not just breaking into systems though. Let's say someone leaves a laptop unattended while going to the restroom and forgets to lock it. Someone can sit down and use it without permission, modify files, etc, and the spirit of the law should cover that situation. But charging someone who embezzled money from an employer with an additional crime of using a work computer to do so without permission is an overreach. But prosecutors do so to intimidate defendants into a plea bargain. "You're looking at a maximum of 173 years if you're found guilty, maybe you should accept our offer of 5 years minus time served."

    15. Re: $1,000 a DAY was missing? by Anonymous Coward · · Score: 0

      That money she stole could have been used to save lives, thus she is a murderer.

      -MPAA

    16. Re:$1,000 a DAY was missing? by Aighearach · · Score: 1

      Addicts aren't engaged in long-term planning, that is well known. Gambling is one of the most addictive things known.

    17. Re: $1,000 a DAY was missing? by Aighearach · · Score: 1

      No, the Oregon law only covers authorized access to systems that are protected from authorized access. Walking up and typing on an unattended laptop is clearly not covered. Also, if she embezzled or not (not, here, as it was just simple theft not a misappropriation) is irrelevant. If she worked in a stock room and was not authorized to sell the tickets using the machine, then she would have violated the computer crime law. That law is about if you were authorized or not, and if the system was clearly protected from unauthorized access.

      For a criminal law to apply to an action, the action has to violate both the letter and the spirit of the law. Just violating the spirit of the law but not the letter isn't enough. In a civil action, it might be, depending.

    18. Re: $1,000 a DAY was missing? by Anonymous Coward · · Score: 0

      even worse that money she stole kept someone else from buying music and/or movies, and so she is aiding PIRACY!

      there FTFY

    19. Re: $1,000 a DAY was missing? by mysidia · · Score: 1

      So if I, as a customer, sneaked into the store and printed thousand lottery tickets without paying, _that_ would be theft _and_ computer hacking

      Breaking and Entering, And Theft.

      I don't know about computer hacking; depends on what you had to do to get the machine to print tickets for you....

    20. Re:$1,000 a DAY was missing? by hlavac · · Score: 1

      She was probably hoping to win and then return the missing money from that :) Too bad she didn't understand the odds of winning...

    21. Re: $1,000 a DAY was missing? by operagost · · Score: 1

      B&E assumes the store was closed and locked. You could also do it while the door is open, and have an accomplice distract the employee while you sneak behind the counter.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    22. Re: $1,000 a DAY was missing? by david_thornley · · Score: 1

      I don't have any authorization to use that system. It would count as unauthorized use for purposes of the CFAA.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    23. Re: $1,000 a DAY was missing? by mysidia · · Score: 1

      It would count as unauthorized use for purposes of the CFAA.

      Only if they implement access control measures on the system, such as warning banners, or access codes: to make it clear that this particular computer is not a system that the public is authorized to use, like an ATM.

  3. Makes no sense... by Anonymous Coward · · Score: 1

    Violating a company rule means that the access done in violation was unauthorized. It would be just like loaning a vehicle to someone stipulating that they were not to go off-road, some security camera shows them mud-bogging, and then nailing the car borrowers with grand theft, because authorization to drive was revoked.

    1. Re:Makes no sense... by Anonymous Coward · · Score: 0

      The analogy would actually be that if the employee went mud-bogging and the vehicle has an engine control computer, the employee could be charged with hacking.

    2. Re:Makes no sense... by Anonymous Coward · · Score: 0

      No, GP had it right already.

    3. Re:Makes no sense... by Anonymous Coward · · Score: 0

      Yes and no. It's exactly like you say, except the person COULD NOT be charged with grand theft.

      Grand theft concerns the right to take possession of the car, which that person clearly did. He violated your rule, but unless and until you told him to give the car back he didn't steal the car. The guy may have violated some other criminal statute, of course, by not obeying your restriction, but generally speaking under traditional criminal laws related to property he's just a bad person, not a criminal.

      It's the same here, and it's why so many courts are interpreting the statute the same way. The person had authorization to access the computer. He violated a rule about _how_ to use the computer, but that's a different matter. Criminal statutes are normally construed narrowly, especially when some other reading would criminalize a ton of innocent or accidental behavior.

      And don't forget, the clerk was convicted of a crime, just another crime. It's obvious that the law regarding unauthorized computer access was intended to criminalize hacking, which otherwise might only be chargeable with simple trespass, if even that. We can have a debate about the legitimacy of criminalizing white hat vs black hat hackers, etc, but that's another matter.

    4. Re:Makes no sense... by Aighearach · · Score: 1

      Right, it would be exactly like that, except that in Oregon we don't have "grant theft auto" we have "unauthorized use of a motor vehicle" and unlike the computer law, it uses an analog measurement where the intended use is taken into consideration. If you borrow a car and say you're going to the library, and you go to a concert, that is actually a felony in Oregon.

  4. nice precedent to set by Anonymous Coward · · Score: 1

    "I told them they could not have any more cheese then they went and opened the fridge. Throw the book at them that was unauthorized access to the computer. Then they went and used the microwave!!!"

    Even though the law as written seems pretty clear
    "any person who knowingly and without authorization uses, accesses or attempts to access any computer"
    this is a very good precedent to be set when we are proceeding towards where there are computers in everything.

    1. Re:nice precedent to set by Anonymous Coward · · Score: 0

      The microwave has a computer chip inside. So does that fridge.

      Bake 'em away, toys, for computer hacking.

    2. Re:nice precedent to set by Anonymous Coward · · Score: 0

      LOL. Been using the "Bake 'em away, toys" line for years, and only ever receive weird looks.

      Finally someone else knows the line.

    3. Re:nice precedent to set by Quirkz · · Score: 1

      I've been using spoonerisms for years, and only ever receive strange looks, except for two Simpsons quotes. The one above plus "tai chi, chai tea".

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
  5. This could've gone either way by davidwr · · Score: 2

    There are two common-sense readings, and the court took one of them.

    The other common-sense reading is that the employee was only authorized to access the device to do things that complied with company policy, and that her authorization to accessed it was implicitly suspended during the time she was violating company policy.

    Since the court went the way they went, expect some companies in Oregon to go back and spell out very clearly that when you are using company equipment in violation of company policy, your authorization to use the equipment is immediately suspended for the duration of your out-of-policy use and, as a result, you are violating Oregon state law and that the company reserves the right to press charges.

    Personally, I think the court made the right decision, because 1) it's very easy for companies to "work around it" by modifying their policies, and 2) the court's ruling prevents "gotcha" situations where the law was ambiguous and, prior to a judge ruling on the issue to remove the ambiguity, a reasonable person could read the law as not applying.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:This could've gone either way by Anonymous Coward · · Score: 0

      There's not even anything that companies need to "work around", because this ruling doesn't mean what the woman did was legal. It just means she's only guilty of the theft she actually committed, not the hacking that the prosecution decided to pretend she committed. Theft is still illegal.

    2. Re:This could've gone either way by silas_moeckel · · Score: 5, Insightful

      Because the physical world equivalent is she went into the store room and stole stuff while working there and having access to said store room. It would not seem reasonable to charge a store clerk with breaking and entering etc for going into the back room and stealing stuff and this is no different.

      --
      No sir I dont like it.
    3. Re:This could've gone either way by Anonymous Coward · · Score: 0


      Since the court went the way they went, expect some companies in Oregon to go back and spell out very clearly that when you are using company equipment in violation of company policy, your authorization to use the equipment is immediately suspended for the duration of your out-of-policy use and, as a result, you are violating Oregon state law and that the company reserves the right to press charges.

      Do you really want to work for a company that violating policy can get you put in jail? I sure as shit don't. I'd quit right then and there.

      Company policy can be anything. It could be simply being rude to a customer. I'd rather not have MegaCorp able to be in control of what becomes effectively illegal.

      "Oops Bob, you just violated corporate policy by not smiling at the customer for at least 5 minutes. Your access to the system has been revoked without your knowledge, and now you're going to pound-me-in-the-ass prison for violating the computer fraud and abuse act. Better think about that next time you work at Gas-N-Go!"

    4. Re:This could've gone either way by fnj · · Score: 1

      Earth to commenter. The clerk DID NOT use the machine without authorization. This is crystal clear. The EFF is absolutely correct, end of story. The clerk is guilty of theft, not some trumped-up "computer crime". Jesus save us from this SHIT. It is criminal justice CORRUPTION, plain and simple.

    5. Re:This could've gone either way by pezpunk · · Score: 2

      very good analogy. this wasn't theft and hacking, this was just theft.

      a store clerk stealing from the till can't be charged with breaking into the store.

      --
      i could live a little longer in this prison
    6. Re: This could've gone either way by Anonymous Coward · · Score: 0

      It is against my company policy to use company systems for personal use. Should I have to go to prison for 20-years for "computer crime", if I happen to fire up slashdot on my lunch break?

    7. Re:This could've gone either way by omnichad · · Score: 1

      The other common-sense reading is that the employee was only authorized to access the device to do things that complied with company policy, and that her authorization to accessed it was implicitly suspended during the time she was violating company policy.

      While that may be a common-sense reading, it's a horrible precedent to set. Especially when it's not a company-employee relationship but rather manufacturer-customer. The DMCA is bad enough without the CFAA being shoehorned onto every crime too.

    8. Re: This could've gone either way by Cederic · · Score: 1

      Only if you can't provide a convincing argument why Slashdot is required for your work.

      I can think of seven different possible reasons without even pausing to consider the outliers.

    9. Re:This could've gone either way by jewens · · Score: 1

      This is more like trespassing than breaking and entering.

      --
      That group of bovine standing over there appears quite portentous. That's right it's an ominous cow herd.
    10. Re:This could've gone either way by Anonymous Coward · · Score: 0

      Not trespassing. She was authorized to print lottery tickets the way she did. Such "use of the computer" is fine - as long as she pay for the tickets thus printed. She did not - similiar to grabbing stuff from the aisles and not paying. Plain old employee theft.

    11. Re:This could've gone either way by DRJlaw · · Score: 1

      Since the court went the way they went, expect some companies in Oregon to go back and spell out very clearly that when you are using company equipment in violation of company policy, your authorization to use the equipment is immediately suspended for the duration of your out-of-policy use and, as a result, you are violating Oregon state law and that the company reserves the right to press charges.

      Personally, I think the court made the right decision, because 1) it's very easy for companies to "work around it" by modifying their policies...

      Which will have absolutely no effect. The court opinion does not leave room "suspension for the duration of out-of-policy use." It's quite clear (pp. 41-42) in that respect:

      "Viewed in that light, the text supports defendant's assertion that her use of the lottery terminal to print Keno tickets -- as she was trained and permitted by her employer to do -- was "authorized" use. The fact that she printed the tickets for her own use and did not pay for them may have violated company policies and other parts of the computer crime statute (in addition to the theft statute), but her use was not "without authorization" as that term is used in ORS 164.377(4). That conclusion is supported by the evidence that, once a store manager had signed into the terminal and activated it at the beginning of the work day, employees such as defendant could use the terminal to print Keno tickets without additional authentication or permission. When defendant physically accessed and used the terminal to print Keno tickets, that access and use was authorized by her employer. Moreover, there was, for example, no evidence that defendant circumvented any computer security measures, misused another employee's password, or accessed any protected data. The sole basis for the state's claim that defendant's printing of Keno tickets was "unauthorized" was the employer's policy that employees were not supposed to print tickets for their own use and were supposed to obtain payment for tickets before printing them."

      Saying that "we really, really mean that our policy is that you are not authorized to print tickets for your own use and without obtaining payment" does not change that analysis. It's not a "magic word" case, it's a physical process case. If you authorize an employee to access the computer and do not set up actual access controls to prevent an employee from engaging in misuse, such misuse might be a crime, but cannot be this crime.

    12. Re:This could've gone either way by silas_moeckel · · Score: 1

      Who would it be trespassing? She was there during or immediately before/after assigned shifts. It was just theft we realy do not need to add with a computer to ever existing crime to be something special. Oh no she used a keycard to access a space, thats a comouter ya know so it's a whole nother crime above ya know theft makes no sense. Frankly the whole let's do the shotgun approach to crime does not make sense they are just abusing the system pushing for plea deals. One act one crime.

      --
      No sir I dont like it.
  6. She didn't break any anti-hacking laws. by Anonymous Coward · · Score: 0

    She was authorized to access the computer system she used as part of her job responsibilities. The fact she abused her access to it is beside the point. She didn't hack into it in the slightest.

    Kinda like how you can be charged with breaking an entering in a home you did not break into and were already authorized to be in even if you do something you aren't allowed to do while you are in.

    Her lawyers were correct in that regard.

  7. Straight up theft by ronmon · · Score: 1

    Really, it's no different than loading up you car with merchandise that you did not pay for.

    1. Re:Straight up theft by Lisias · · Score: 1

      Really, it's no different than loading up you car with merchandise that you did not pay for.

      What's completely different from loading a stolen car with merchandise that you did not pay for.

      --
      Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
  8. Don't most places have the lotto system with it's by Joe_Dragon · · Score: 1

    Don't most places have the lotto system with it's own cash door and she may be looking at hard time for stealing lotto.

  9. Trying to abuse it eh... by Anonymous Coward · · Score: 0

    She had the authorization for it, it's not hacking, it's just theft.

  10. Tollroads can try this BS on speeding by Joe_Dragon · · Score: 1

    Tollroads can try this BS on speeding by go over the limit you are not authorization to use the ETC / camera / coin counting system so you are now looking at hard time under the computer crime law.

    They can try that but in IL they will need to build a lot of court rooms and jails to handle the case load. Also good luck finding people to fill all the jury's.

  11. It's about time by omnichad · · Score: 3, Insightful

    It's about time someone set the right precedent. Now there's finally some good case law for every count of "crime...but on a computer" to NOT count as a violation of CFAA.

  12. quid pro quo by Anonymous Coward · · Score: 0

    ... executive began to suspect that she was buying lottery tickets but not paying for them.

    how does one "buy" something without paying for it?

    She was printing them – without paying for them. She was stealing. She was a lot of things, but she wasn't buying them.

    And yes, there are ways of paying for things other than with money.

  13. Re:Don't most places have the lotto system with it by edtice1559 · · Score: 1

    I've only ever seen those in California. In every other state where I've been (certainly not all of them), there is a lotto printing machine. The clerk prints the request number of tickets and rings up the sale. Once the ticket is printed, they owe the lottery the money for the purchase. The clerks manufacture (print) the tickets, sell them, and collect the money. What she did here was manufacture and steal tickets. She didn't do anything to alter the behavior of the ticket printing machine nor of the cash register.

  14. Re:Don't most places have the lotto system with it by yakatz · · Score: 1

    In some states (like Maryland for example), that is optional. Large supermarkets usually have the separate drawer, but places like 7-Eleven use the regular cash register drawer.

  15. What value, side note by Archfeld · · Score: 2

    What was the value of the lottery tickets stolen ? Was it valued at the $1.00 per pick or the value if you won ? It was only $1.00 at the time of the theft, can they retroactively apply appreciation to the value of the item ? If you stole $10.00 from the till and one of the dollars turned out to be a rare silver certificate, but that fact was unknown to any party involved at the time of the crime, I wonder if the crime is still a $10.00 theft ?

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
    1. Re:What value, side note by phantomfive · · Score: 1

      It's possible the store (her employer) still had to pay the State Lottery board (or whatever) the money for the tickets she 'bought'

      --
      "First they came for the slanderers and i said nothing."
    2. Re:What value, side note by edtice1559 · · Score: 1

      The store did have to pay. For each ticket that is printed, the store gets a bill. The local printers are dumb terminals. They just send a request to a central server, get a response, and print out a ticket. Immediately after a drawing, the lottery knows whether there is a winner and where the ticket was purchased. They invoice the stores for all of the tickets sold. I imagine she got away with this because there is some delay from the time she stole the tickets until the store got the bill and knew something was amiss.

  16. Why by Anonymous Coward · · Score: 0

    She was convicted on both charges at trial.

    Presumably her lawyers raised the obvious point at her trial, so why was she convicted of a 'break and enter' that she didn't commit?

  17. I understand the EFF's concern but ... by Wrath0fb0b · · Score: 1

    I get that they think the CFAA is overbroad and this is a prosecutorial pile-on. And maybe it is.

    At the same time (and to be fair), this may have a negative impact on privacy.

    Consider a scenario where an individual (say, a police dispatcher) has authorization to use a computer system (say, court records, warrants, DMV records) for legitimate purpose (in dispatching the police). Now she goes and uses her access to that computer beyond the bounds of that authorization: to help a friend that is a PI, to stalk her ex, to get juicy leads so she can paparazzo some douchy D-list actor when he gets out of his DUI.

    Once you think about it this way -- how many people need access to systems with personal information to do their jobs but for which it's not feasible to have technical solutions -- you wonder how to create a workable legal solution that doesn't need to be re-done for every possible use-case. CFAA may be a poorly drafted attempt, but the goal of criminalizing exceeding your authorization (if not your access) to a computer system makes sense and, I would argue, is privacy protecting.

    1. Re:I understand the EFF's concern but ... by david_thornley · · Score: 1

      Your concern is about someone using authorized access in unauthorized ways. There are laws against at least some applications. If your doctor's office reveals confidential information without permission, that's illegal under HIPAA, no matter whether a computer was even involved. There are doubtless other laws that apply in some circumstances.

      Throwing CFAA at people who violated terms of service is really, really dangerous. Having general laws so you can make up a reason why someone committed a felony under them is bad.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  18. Re:Blame it on the election by Archfeld · · Score: 1

    Can't be Lucifer, but maybe Lilith ?

    https://en.wikipedia.org/wiki/...

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
  19. Seems they went after the wrong criminal. by Anonymous Coward · · Score: 0

    Sure she stole many thousands of dollars. On the other hand the lottery commision was stealing billions of dollars from poor people to raise the salaries of rich entitled politicians. Sorry I did not mean that. I meant the lottlery is being used to raise money so that rich entitled politicians can send their kids to private schools. Sorry didn't mean that I really meant the lottery is being used to raise money so that poor disadvantaged students can receive a decent education.

    Yea that is it; rich people are buying tons of lottery tickets so they can send give poor people a decent education.

        Come to think of it this convenience store clerk is truly evil. She was stealing the future away from poor people THE STATE SHOULD FRY HER!

  20. Buying without paying=stealing? by wonkey_monkey · · Score: 1

    this executive began to suspect that she was buying lottery tickets but not paying for them

    So not buying them, then? Perhaps we could call this thing "stealing."

    --
    systemd is Roko's Basilisk.
    1. Re:Buying without paying=stealing? by Anonymous Coward · · Score: 0

      So not buying them, then? Perhaps we could call this thing "stealing."

      from m-w.com: 'buying' - to acquire possession, ownership, or rights to the use or services of by payment especially of money

      Tickets were bought because money/funds (of the store/company she worked for) were electronically exchanged, and the shortages were later discovered by a vice-president conducting an investigation/audit. In this instance the store is the 'middleman': technically the employee 'buys' the tickets on behalf of her employer/store and then a transaction is made in which the customer exchanges $$$ with the store/employer (usually via the same employee) for possession and ownership of the tickets.

      The tickets were bought because the promoter/operator of the lottery did receive $$$ for a transaction conducted by an authorized representative of the store. The real issue is that she did not then reimburse the store as she was the genitor of the transaction and it was not on behalf of a customer.

  21. Nulla poena sine lege. by Ihlosi · · Score: 1
    "Nulla poena sine lege." - No punishment without an appropriate law.

    And prosecutors, having (hopefully) studied Law, should know this.

    1. Re:Nulla poena sine lege. by operagost · · Score: 1

      Public schools violate this principle all the time. Kid breaks a "zero tolerance" policy by drawing a picture of a gun? Expulsion. Unfortunately, nothing changes because it's mostly parents who can't afford bringing a lawsuit who have to send their kids to public school.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  22. It's still unauthorized access. by Anonymous Coward · · Score: 0

    If the clerk was printing tickets for purposes other than to sell then it's still unauthorized access.

  23. Definite Article by freeze128 · · Score: 1

    When referring to the US State, it's just "Oregon", not "The Oregon".

    1. Re:Definite Article by laie_techie · · Score: 1

      When referring to the US State, it's just "Oregon", not "The Oregon".

      That is true, but we talk about "the Oregon Supreme Court", and not just "Oregon Supreme Court".

    2. Re:Definite Article by freeze128 · · Score: 1

      Yeah, read the NEXT sentence.

  24. What if she would have won? by Puppet+Master · · Score: 1

    Would she then be entitled to the winnings? I would think not.

    --
    The day Microsoft creates a product that doesn't suck, it will be known as the Microsoft Vaccuum Cleaner!