CNET news has a story of a Michigan man who apparently pled guilty to violating Michigan’s computer crime statute for sitting outside a coffee shop and using the shop’s wi-fi to surf the web:
Each day around lunch time, Sam Peterson would drive to the Union Street Cafe, park his car and–without actually entering the coffee shop–check his e-mail and surf the Net. His ritual raised the suspicions of Police Chief Andrew Milanowski, who approached him and asked what he was doing. Peterson, probably not realizing that his actions constituted a crime, freely admitted what he was doing.
“I knew that the Union Street had Wi-Fi. I just went down and checked my e-mail and didn’t see a problem with that,” Peterson told a WOOD reporter.
Milanowski didn’t immediately cite or arrest Peterson, mostly because he wasn’t certain a crime had been committed. “I had a feeling a law was being broken,” the chief said. . . .
Milanowski, who eventually swore out a warrant for Peterson, doesn’t believe Milanowski knew he was breaking the law. “In my opinion, probably not. Most people probably don’t.”
Indeed, neither did Donna May, the owner of the Union Street Cafe. “I didn’t know it was really illegal, either,” she told the TV station. “If he would have come in (to the coffee shop), it would have been fine.”
Peterson was charged and apparently pled guilty and was sentenced for violating Michigan’s computer crime statute. According to this story, Peterson’s actual punishment was very light: he was given a $400 fine and 40 hours of community service, with the understanding that if he stays out of trouble the conviction will be erased from his record.
But did Peterson actually commit a crime? The answer hinges on Michigan’s somewhat unique computer crime law, and in particular on its definition of the meaning of “authorization.” Like every state — and like the federal government — Michigan has an unauthorized access statute that serves as the basic computer crime law. (For my take on these statutes, see this article.) Here’s Michigan’s law, Section 752.795(a):
A person shall not intentionally and without authorization or by exceeding valid authorization . . . Access or cause access to be made to a computer program, computer, computer system, or computer network to acquire, alter, damage, delete, or destroy property or otherwise use the service of a computer program, computer, computer system, or computer network.
So far, this is a pretty standard unauthorized access statute. But Michigan does something that is pretty unique; it has a statutory presumption against access being authorized:
It is a rebuttable presumption in a prosecution for a violation of section 5 that the person did not have authorization from the owner, system operator, or other person who has authority from the owner or system operator to grant permission to access the computer program, computer, computer system, or computer network or has exceeded authorization unless 1 or more of the following circumstances existed at the time of access:
(a) Written or oral permission was granted by the owner, system operator, or other person who has authority from the owner or system operator to grant permission of the accessed computer program, computer, computer system, or computer network.
(b) The accessed computer program, computer, computer system, or computer network had a pre-programmed access procedure that would display a bulletin, command, or other message before access was achieved that a reasonable person would believe identified the computer program, computer, computer system, or computer network as within the public domain.
(c) Access was achieved without the use of a set of instructions, code, or computer program that bypasses, defrauds, or otherwise circumvents the pre-programmed access procedure for the computer program, computer, computer system, or computer network.
If I had been Peterson’s attorney, I would have had a bunch of arguments in his defense. First, I would argue that having a statutory presumption is unconstitutional under Sandstrom v. Montana, 442 U.S. 510 (1979). A presumption that a material element of a criminal statute has been satisfied violates the Due Process clause, which requires the government to provide each element beyond a reasonable doubt. Id. at 524. Second, I would argue that even if the presumption is constitutional, it doesn’t apply here: under (c), “[a]ccess was achieved without the use of a set of instructions, code, or computer program that bypasses, defrauds, or otherwise circumvents the pre-programmed access procedure for the computer program, computer, computer system, or computer network.” And finally, the access was not unauthorized or in excess of authorization because the coffee shop intentionally made the wi-fi available to anyone. What’s the rule — no hopping on wifi from a coffee shop unless you enter the shop? Unless you actually buy something? What if you’re outside waiting for a friend to join you for a latte, but you haven’t gone in yet? Where do such rules come from, and what notice does a defendant have before being held criminally liable? I’ve written before about how unauthorized access statutes threaten to punish an incredible amount of conduct online, and this seems like the latest evidence in support of the point.
As best I can tell, though, these arguments weren’t tried. But then it’s hard to tell from the news articles, which seem pretty sketchy on the legal side of this. If you happen to know more details about the case, please consider explaining them in the comment thread.