The federal computer crime statutes punish unauthorized access to a computer. As regular readers know, courts are hopelessly divided on what this language means, and in particular what makes an access to a computer authorized versus unauthorized. In Cheng v. Romo, 2012 WL 6021369 (D. Mass. Nov. 28 2012), Judge Casper authored an opinion on an interesting wrinkle that I’ve pondered but that hasn’t come up before in published decisions: How do computer crime statutes apply when one party gives his password to another party for some limited uses, but the latter party uses the password for broader uses? Is the accessing with the password but beyond the implicit or explicit limit “unauthorized” for purposes of the computer crime laws?
Here are the facts of the new case. Cheng and Romo were doctors who worked together. Cheng used a personal Yahoo e-mail account for work purposes. Romo sometimes needed to access work-related documents that had been sent to Cheng’s Yahoo account, so Cheng gave Romo his password. Cheng didn’t place explicit limits on when Romo could access his account, but it was apparently understood between the two of them that Cheng gave Romo his password so she could access his account for work-related reasons. Fast forward several years later, and Romo’s relationship with Cheng and the company where they work has soured. Romo leaves the company, and later sues the company — as does Romo’s husband. Romo becomes eager to know what is happening at the company, so she uses the password Cheng gave her and logs in and reads Cheng’s e-mail. Romo felt “very uncomfortable” about accessing Cheng’s e-mail account so many years later, for reasons clearly not foreseen by Cheng. On the other hand, he had given her his password. Cheng later found out about Romo’s [...]