An Ohio man was convicted on a hacking charge for using his work-provided computer in a way not sanctioned by his employer. Specifically, Richard Wolf spent 100 work hours visiting various adult web sites rather than working. Instead of simply being fired, Mr. Wolf is instead convicted of hacking. Read an overview of the case and let us know what you think. Should Mr. Wolf have this conviction on his record?
By now, most people who take the plunge and visit adult-oriented web sites while on duty understand that they risk being fired very quickly. However, how many of these same people expect to be jailed for this infraction? I'd bet that not very many people expect that this inappropriate behavior would land them in the clink. An Ohio man, Richard Wolf, is learning the hard way the consequences that can be attached to what, while stupid, might seem like victimless behavior in the workplace.
In April of 2006, Mr. Wolf's life took a turn for the worse when Larry Wise, the Superintendent of the Shelby City Wastewater Treatment Plant, found a nude photograph of Mr. Wolf on Mr. Wolf's city-owned computer. A full investigation ensued once Mr. Wise's supervisor, Shelby Utilities Director Brad Harvey, involved the local police. The investigation discovered that Mr. Wolf spent 100 hours on-the-clock perusing adult-themed web sites and ultimately searching for, locating and communicating with a professional dominatrix. During the investigation, Mr. Wolf admitted that he did, in fact, use his work computer inappropriately and that his behavior was "unethical and wrong."
Unfortunately for Mr. Wolf, this "unethical and wrong" behavior quickly turned into a legal nightmare. Specifically, Mr. Wolf was initially convicted of a number of crimes, including "Unauthorized access to a computer." Under Ohio law, this is a felony. Mr. Wolf was sentenced to fifteen months in prison, ordered to pay a $5,000 fine and ordered to pay restitution of $2,392 to the city for the 100 hours of wages. On another charge, one count of solicitation (for Mr. Wolf's efforts in soliciting a prostitute), Mr. Wolf was sentenced to 60 days in jail and a $500 fine.
Mr. Wolf appealed the original convictions on a number of counts. For this article, I'll focus on the "unauthorized access to a computer" conviction appeal. In his appeal, Mr. Wolf's attorneys wrote:
THE TRIAL COURT ERRED BY OVERRULING DEFENDANT APPELLANT'S MOTION FOR A DIRECTED VERDICT OF ACQUITTAL AS TO THE CHARGE OF UNAUTHORIZED ACCESS OF A COMPUTER, AS THERE WAS INSUFFICIENT EVIDENCE TO ESTABLISH THE ELEMENTS OF A VIOLATION OF OHIO REVISED CODE SECTION 2913.04(B).
The law cited, Ohio RC 2913.04 reads:
(A) No person shall knowingly use or operate the property of another without the consent of the owner or person authorized to give consent.
(B) No person, in any manner and by any means, including, but not limited to, computer hacking, shall knowingly gain access to, attempt to gain access to, or cause access to be gained to any computer, computer system, computer network, cable service, cable system, telecommunications device, telecommunications service, or information service without the consent of, or beyond the scope of the express or implied consent of, the owner of the computer, computer system, computer network, cable service, cable system, telecommunications device, telecommunications service, or information service or other person authorized to give consent.
Based on the opinion of the appellate court that Mr. Wolf's conduct was "beyond the scope of the express or implied consent" of the computer's owner - the City of Shelby - the Ohio appellate court hearing the appeal upheld what amounts to a "hacking" charge for Mr. Wolf. The law in question was originally intended to convict those that inappropriately access sensitive records outside the scope of their job responsibilities. For example, suppose an office worker in the medical office accessed and sold the patient database.
It seems that this interpretation of the law could result in all kind of legal abuse. Was Mr. Wolf singled out because he access adult web sites? What about the person down the hall that spends half her day on eBay? Could she be convicted for hacking as well under the same line of reasoning? Could the office worker that kicks back at lunch time and plays Solitaire also be convicted if the City's acceptable use policy prohibits playing games?
There is a lesson to be learned from this incident: Make sure you have a rock solid acceptable user policy at work that includes directives should a supervisor observe impropriety. Personally, I believe that the person that contacted the police was wrong to do so, particularly if he did not first communicate with Human Resources about the incident. This entire situation could have been settled without legal action and without ruining Mr. Wolf's life. Apparently, at the time of Mr. Wolf's lapse in judgment, the city did not have in place an acceptable use policy. Sure, Mr. Wolf should have known that looking for a prostitute on city time was relatively stupid, but should be in jail for hacking?
Further, it seems that the statute that was used to convict Mr. Wolf needs to be rethought unless the intent of the state of Ohio is to make criminals out of just about every office worker in the state. How many have sent a personal email or played a game on a work computer, even if it's against the rules? While I do believe that people should generally obey the rules, if they fail to do so, they shouldn't be sent to jail.
My take: For the charge of "hacking" Mr. Wolf shouldn't be in jail. It's an unjust reading of the law and an overzealous prosecution that made this happen. I agree that Mr. Wolf screwed up, but he should have been fired, not convicted.
What's your take?