Clerk Printed Lottery Tickets She Didn't Pay For But Didn't Break Hacking Law (arstechnica.com) 110
Violating a company rule is not -- and should not be -- a computer crime, that was the ruling of the Oregon Supreme Court in State v. Nascimento file. The Oregon's highest court ruled that while a convenience store clerk was guilty of stealing lottery tickets through the store's computer system, she did not violate the state's anti-hacking law while doing so. ArsTechnica shares more details: The Electronic Frontier Foundation, which appeared on Caryn Nascimento's behalf during the case as an amicus curae (friend of the court), announced the narrow victory on Tuesday. According to the Supreme Court's decision, the case dates back to 2007, when Nascimento began working at Tiger Mart, a small convenience store in Madras, Oregon, about 120 miles southeast of Portland. In late 2008 and early 2009, a company vice president began investigating what appeared to be cash shortages at that store, sometimes about $1,000 per day. After reviewing video recordings that correlated with Nascimento's work schedule, this executive began to suspect that she was buying lottery tickets but not paying for them. Eventually, Nascimento was charged not only with aggravated first-degree theft but also of violating the state's computer crime law, which includes language that "any person who knowingly and without authorization uses, accesses or attempts to access any computer, computer system, computer network, or any computer software, program, documentation or data contained in such computer, computer system or computer network, commits computer crime." She was convicted on both charges at trial. On appeal before the Oregon Supreme Court, Nascimento's lawyers argued that while their client may have violated a company policy to not print lottery tickets that she did not receive payment for, she was, in fact, authorized to access the lottery printing computer.
Typical abusive prosecution (Score:5, Interesting)
Look, when someone breaks the law, punish them for what they did, not things that are SIMILAR to what they did.
Re: (Score:3)
How similar are "Gross Negligence" and "Extreme Carelessness"?
Without "Criminal Intent" you have no criminal case.
Re: (Score:2)
Oh, excellent. So I can drive around with my eyes shut as a test of my ability to use sonar from within my car, and because I'm not intending to break any laws I'm immune from prosecution should some idiot walk in front of me?
Nice to hear.
Hopefully the idiot will be you, so that you can learn the difference between gross negligence and criminal intent.
Re: Typical abusive prosecution (Score:2)
Re: (Score:1)
Re: (Score:3)
So charge her under whatever law was used against Nishimura.
Not applicable.
http://mediamatters.org/research/2016/07/06/right-wing-media-run-another-baseless-comparison-clinton-emails/211379 [mediamatters.org]
Re: Typical abusive prosecution (Score:4, Informative)
The cases are not comparable. Nishimura deliberately put classified material on his personal systems. Clinton had insufficient safeguards against classified material being on her systems. There's a difference in intent here, which is why Nishimura was prosecuted and Clinton wasn't. I'm not saying what's legal or illegal here, just that nobody's found me a case like Clinton's where there was criminal prosecution.
(Intent, in US law, in general means intent to commit an act that is illegal. Nishimura had intent in putting classified material on his systems. Clinton did not.)
Re: (Score:3)
Hopefully the idiot will be you so that you can learn the difference between gross negligence and criminal intent.
I have notified my attorney that you have threatened my life. If I should get run over in the near future, my attorney will have no problem persuading the authorities of your criminal intent. Expect to get the death penalty.
Re: (Score:2)
Weirdly, in a way, you also just threatened him with his life, so he can call his lawyers and do the same. Which will result in an infinite stack of recursive life-threat-lawyer-enriching legal nightmare.
What a way to crash the legal system!
Re: (Score:2)
Weirdly, in a way, you also just threatened him with his life, so he can call his lawyers and do the same.
I did not threaten his life. I just told him of the legal consequences of his actions if he follows through on his threat on my life. The punishment for premeditated murder in some states is the death penalty. His attorney should instruct him not to make death threats on the Internet.
Re: (Score:2)
Oh dear. Did reductio ad absurdum completely pass you by?
Re:Typical abusive prosecution (Score:4, Interesting)
Naaa, In a police-state you always prosecute people to the maximum possible, no matter how stupid and unjust. After all, you have to send a message to the population who the masters are! Were would we be if the serfs could just break the law and get away with anything below a life-sentence for it.
On a completely unrelated thought, that this even needs a court decision shows how very badly out of control the US "legal" system is these days.
Re: (Score:2)
Naaa, In a police-state you always prosecute people to the maximum possible, no matter how stupid and unjust. After all, you have to send a message to the population who the masters are!
It's not a police-state problem, it's a for-profit prison system problem. Gotta pay those lobbyists to push for harsher sentencing laws.
Re: (Score:2)
These go hand-in-hand.
Re: (Score:2)
Very few prisoners in Oregon are in private institutions, so probably not.
You gotta know your head from a hole in the ground before you can decide who the "masters" are, unless you're just going to point in the shadows all the time.
This is a typical case for Oregon. Our cops and prosecutors suck the same as everywhere, but we have pretty good laws and pretty good courts.
Re: (Score:2)
It's a matter of an unclear law. I'd bet you could find unclear and badly written laws anywhere.
Re: (Score:3)
You have to use an interstate system for that. This is a State lottery system; you can't buy tickets outside the State at all. And it has to be fraud to be wire fraud; she didn't do anything fraudulent, she simply didn't pay for items (lottery tickets) that she took. She didn't lie or misrepresent anything to gain access to the system; she was a real employee.
The Court ruled here that because as an employee she was authorized to use the lottery machine, they can't accuse her of unauthorized use of the machi
Re: (Score:2)
Prosecutors are in love with piling on extra extra charges. It's a shotgun approach. If one charge gets remove maybe other ones will stick. It's also done as a way to pile on the maximum sentence and then intimidate the defendant into a plea bargain. Unauthorized computer access, hate crime, using a gun will committing a robber, being under the influence of drugs while committing a robbery, under the influence of drugs and using a gun while committing a hate crime on a computer, etc.
It's also due in par
Re:Typical abusive prosecution (Score:4, Interesting)
What we need to do is stipulate a rule: If the defendant is proven not-guilty of any one of the charges presented,
then they are automatically released of all charges related to their chain actions that some have been deemed criminal.
Afford the defendant the CHOICE regarding which charge or charge(s) will be decided upon first, and in what order for the subsequent ones.
Any further charge for the same chain of actions would be double jeopardy.
So if one of the charges is bogus, the Defendant will have that charge heard first, and once found innocent, be cleared of all the others.
That should encourage prosecutors to only charge the offense for a certain series of actions that they actually have evidence for, And only make the high-quality charges, not specious or dubious ones "To hope something sticks"
Re: (Score:2)
So if a prosecutor tries for 1st degree murder and fails to prove premeditation the murderer should go free ? That logic leaves a lot to be desired in reality.
Re: (Score:2)
I like this idea, it will stop prosecutors throwing in things like sexual assault and child pornography charges as a way of painting the defendant as some kind of monster and piling up the potential years on them as a way to pressure them into taking a plea deal.
The only down side I can see is that juries might be tempted to convict people of things they didn't do in order to get the them convicted of other things they did. Say there was an accused rape-murder, but it turns out it was just some consensual s
Nulla poena sine lege. (Score:2)
And prosecutors, having (hopefully) studied Law, should know this.
Re: (Score:1)
Re: (Score:1)
$1,000 a DAY was missing? (Score:3)
And someone just "investigated"?
Was the boss asleep? Whenever I've worked retail, a report was required for more than $20 missing from a cash drawer...
$1,000 would have been unthinkable!
Re: (Score:2)
was really just a couple of weeks before somebody investigated. Things are a bit looser in small towns than in the big city. Still, it took 7 years for the case to wind its way up to the Oregon Supreme Court. Would have been faster if she had been a lesbian.
Re:$1,000 a DAY was missing? (Score:5, Informative)
Re: (Score:1)
It would have shown as a sale on the daily receipts to the lotto company, but the cash for the sales would not have been in the cash drawer - hence it was 'missing'.
My question is, how long did she think she could get away with it? Maybe she was hoping she could hit it big and disappear before she was caught? But then she would have had to collect the money from the same employer she was stealing from....
Re: (Score:2)
Addicts aren't engaged in long-term planning, that is well known. Gambling is one of the most addictive things known.
Re: (Score:2)
Re: $1,000 a DAY was missing? (Score:5, Informative)
But she is authorized to use the register. I don't see why she can't take all the money and claim the same defense she used here.
Because it's still aggravated first-degree theft even if you're authorized to use the register. She stole, and was convicted for stealing. There's no need for any more charges to be piled on.
Re: (Score:2)
She can't. She's still guilty of theft, so this defense doesn't work on theft. It only works on being accused of using a computer without authorization when you steal lottery tickets you're authorized to print.
Re: (Score:2)
She can't. She's still guilty of theft, so this defense doesn't work on theft. It only works on being accused of using a computer without authorization when you steal lottery tickets you're authorized to print.
So if I, as a customer, sneaked into the store and printed thousand lottery tickets without paying, _that_ would be theft _and_ computer hacking because I was not authorized to print tickets. In her case, because she was authorized to print the ticket, it's only theft.
Re: (Score:2)
And of course whoever wrote the whole computer-without-authorization bill almost certainly intended it to be used for stereotypical hacking cases, almost certainly how it was presented to other legislators when it was voted on.
Re: (Score:2)
So if I, as a customer, sneaked into the store and printed thousand lottery tickets without paying, _that_ would be theft _and_ computer hacking
Breaking and Entering, And Theft.
I don't know about computer hacking; depends on what you had to do to get the machine to print tickets for you....
Re: (Score:1)
Re: (Score:2)
I don't have any authorization to use that system. It would count as unauthorized use for purposes of the CFAA.
Re: (Score:2)
It would count as unauthorized use for purposes of the CFAA.
Only if they implement access control measures on the system, such as warning banners, or access codes: to make it clear that this particular computer is not a system that the public is authorized to use, like an ATM.
Re: (Score:3)
I think the point is that she is guilty of theft and/or embezzlement and should be punished for that. The fact that a computer or cell phone was used shouldn't matter.
The spirit of the computer crime laws are supposed to apply to breaking into systems.
Re: (Score:2)
Not just breaking into systems though. Let's say someone leaves a laptop unattended while going to the restroom and forgets to lock it. Someone can sit down and use it without permission, modify files, etc, and the spirit of the law should cover that situation. But charging someone who embezzled money from an employer with an additional crime of using a work computer to do so without permission is an overreach. But prosecutors do so to intimidate defendants into a plea bargain. "You're looking at a max
Re: (Score:2)
No, the Oregon law only covers authorized access to systems that are protected from authorized access. Walking up and typing on an unattended laptop is clearly not covered. Also, if she embezzled or not (not, here, as it was just simple theft not a misappropriation) is irrelevant. If she worked in a stock room and was not authorized to sell the tickets using the machine, then she would have violated the computer crime law. That law is about if you were authorized or not, and if the system was clearly protec
Re: (Score:2)
"But she is authorized to use the register. I don't see why she can't take all the money and claim the same defense she used here."
She can and she should win on that charge. How in hell does taking all the money from the register she was allowed -and even commanded, to operate, make into a "hacking" case?
Re: (Score:2)
She stole money, that's it. She used the lottery computer to do so, but that's just a consequence of committing the crime, it should not be an additional crime. That's like tacking on an extra charge that said she put the tickets in her pocket without permission. The defense she gave was only for the tacked on charge of using a computer without authorization, she was still guilty of the original charge so it's hardly a "defense".
Makes no sense... (Score:1)
Violating a company rule means that the access done in violation was unauthorized. It would be just like loaning a vehicle to someone stipulating that they were not to go off-road, some security camera shows them mud-bogging, and then nailing the car borrowers with grand theft, because authorization to drive was revoked.
Re: (Score:2)
Right, it would be exactly like that, except that in Oregon we don't have "grant theft auto" we have "unauthorized use of a motor vehicle" and unlike the computer law, it uses an analog measurement where the intended use is taken into consideration. If you borrow a car and say you're going to the library, and you go to a concert, that is actually a felony in Oregon.
nice precedent to set (Score:1)
"I told them they could not have any more cheese then they went and opened the fridge. Throw the book at them that was unauthorized access to the computer. Then they went and used the microwave!!!"
Even though the law as written seems pretty clear
"any person who knowingly and without authorization uses, accesses or attempts to access any computer"
this is a very good precedent to be set when we are proceeding towards where there are computers in everything.
Re: (Score:2)
I've been using spoonerisms for years, and only ever receive strange looks, except for two Simpsons quotes. The one above plus "tai chi, chai tea".
This could've gone either way (Score:2)
There are two common-sense readings, and the court took one of them.
The other common-sense reading is that the employee was only authorized to access the device to do things that complied with company policy, and that her authorization to accessed it was implicitly suspended during the time she was violating company policy.
Since the court went the way they went, expect some companies in Oregon to go back and spell out very clearly that when you are using company equipment in violation of company policy, you
Re:This could've gone either way (Score:5, Insightful)
Because the physical world equivalent is she went into the store room and stole stuff while working there and having access to said store room. It would not seem reasonable to charge a store clerk with breaking and entering etc for going into the back room and stealing stuff and this is no different.
Re: (Score:3)
very good analogy. this wasn't theft and hacking, this was just theft.
a store clerk stealing from the till can't be charged with breaking into the store.
Re: (Score:2)
Re: (Score:2)
Who would it be trespassing? She was there during or immediately before/after assigned shifts. It was just theft we realy do not need to add with a computer to ever existing crime to be something special. Oh no she used a keycard to access a space, thats a comouter ya know so it's a whole nother crime above ya know theft makes no sense. Frankly the whole let's do the shotgun approach to crime does not make sense they are just abusing the system pushing for plea deals. One act one crime.
Re: (Score:2)
Earth to commenter. The clerk DID NOT use the machine without authorization. This is crystal clear. The EFF is absolutely correct, end of story. The clerk is guilty of theft, not some trumped-up "computer crime". Jesus save us from this SHIT. It is criminal justice CORRUPTION, plain and simple.
Re: (Score:2)
Only if you can't provide a convincing argument why Slashdot is required for your work.
I can think of seven different possible reasons without even pausing to consider the outliers.
Tollroads can try this BS on speeding (Score:2)
Tollroads can try this BS on speeding by go over the limit you are not authorization to use the ETC / camera / coin counting system so you are now looking at hard time under the computer crime law.
They can try that but in IL they will need to build a lot of court rooms and jails to handle the case load. Also good luck finding people to fill all the jury's.
Re: (Score:2)
The other common-sense reading is that the employee was only authorized to access the device to do things that complied with company policy, and that her authorization to accessed it was implicitly suspended during the time she was violating company policy.
While that may be a common-sense reading, it's a horrible precedent to set. Especially when it's not a company-employee relationship but rather manufacturer-customer. The DMCA is bad enough without the CFAA being shoehorned onto every crime too.
Re: (Score:2)
Straight up theft (Score:2)
Really, it's no different than loading up you car with merchandise that you did not pay for.
Re: (Score:2)
Really, it's no different than loading up you car with merchandise that you did not pay for.
What's completely different from loading a stolen car with merchandise that you did not pay for.
Don't most places have the lotto system with it's (Score:2)
Don't most places have the lotto system with it's own cash door and she may be looking at hard time for stealing lotto.
Re: (Score:2)
Re: (Score:2)
It's about time (Score:4, Insightful)
It's about time someone set the right precedent. Now there's finally some good case law for every count of "crime...but on a computer" to NOT count as a violation of CFAA.
What value, side note (Score:3)
What was the value of the lottery tickets stolen ? Was it valued at the $1.00 per pick or the value if you won ? It was only $1.00 at the time of the theft, can they retroactively apply appreciation to the value of the item ? If you stole $10.00 from the till and one of the dollars turned out to be a rare silver certificate, but that fact was unknown to any party involved at the time of the crime, I wonder if the crime is still a $10.00 theft ?
Re: (Score:2)
Re: (Score:2)
I understand the EFF's concern but ... (Score:2)
I get that they think the CFAA is overbroad and this is a prosecutorial pile-on. And maybe it is.
At the same time (and to be fair), this may have a negative impact on privacy.
Consider a scenario where an individual (say, a police dispatcher) has authorization to use a computer system (say, court records, warrants, DMV records) for legitimate purpose (in dispatching the police). Now she goes and uses her access to that computer beyond the bounds of that authorization: to help a friend that is a PI, to stalk
Re: (Score:2)
Your concern is about someone using authorized access in unauthorized ways. There are laws against at least some applications. If your doctor's office reveals confidential information without permission, that's illegal under HIPAA, no matter whether a computer was even involved. There are doubtless other laws that apply in some circumstances.
Throwing CFAA at people who violated terms of service is really, really dangerous. Having general laws so you can make up a reason why someone committed a felony
Buying without paying=stealing? (Score:2)
this executive began to suspect that she was buying lottery tickets but not paying for them
So not buying them, then? Perhaps we could call this thing "stealing."
Definite Article (Score:2)
Re: (Score:2)
When referring to the US State, it's just "Oregon", not "The Oregon".
That is true, but we talk about "the Oregon Supreme Court", and not just "Oregon Supreme Court".
Re: (Score:2)
What if she would have won? (Score:2)
Re: (Score:2)
Can't be Lucifer, but maybe Lilith ?
https://en.wikipedia.org/wiki/... [wikipedia.org]