TERRY DEWAIN BRIGGS v. STATE OF MARYLAND

No. 24, September Term, 1997
COURT OF APPEALS OF MARYLAND
348 Md. 470; 704 A.2d 904; 1998 Md. LEXIS 9
January 22, 1998, Filed
OPINION:

Opinion by Raker, J.

 

Terry Dewain Briggs appeals his conviction for the crime of unauthorized access to computers, in violation of Maryland Code (1957, 1996 Repl. Vol., 1997 Supp.) Article 27, § 146(c). n1 The primary issue raised in this case is the meaning of the statutory requirement of access "without authorization" as used in § 146. The question we must answer is whether an employee who is entitled to use an employer's computer system in connection with employment duties, but who exceeds the scope of that authorization, is acting in a manner proscribed by Article 27, § 146. Briggs contends that his conduct did not come within the prohibition of the statute. We agree, and accordingly, shall reverse.

In November, 1994, the Scarborough Group, Inc. (Scarborough), a medium sized securities investment company, hired Terry Briggs as a computer programmer and system administrator. Briggs, a twenty-three-year old computer specialist, was hired to program and design software to maintain the company computer system. As part of his job responsibilities, he entered data in the computer system and placed passwords n2 on the files to secure the data. The management of the entire computer system was entrusted to Briggs. Following a dispute on July 24, 1995, about the terms of his employment contract, Briggs resigned as an employee of the company.
Shortly after Briggs left the company, Scarborough realized that some of its computer files were secured with passwords known only to Briggs. Scarborough and Briggs were unable to resolve the situation. Scarborough filed a civil suit against Briggs, and also contacted the Anne Arundel County police.

The State charged Briggs in a two count criminal information: count one, theft of computers, in violation of Article 27, § 342(a)(1) n3 and, count two, unauthorized access to computers, in violation of Article 27, § 146(c)(2). At trial, Scarborough contended that Briggs changed the passwords two days before the meeting about Briggs's employment contract, and put them in a subdirectory named "ha-ha he-he," dated July 22, 1995 by the computer. Scarborough maintained that Briggs never had permission to place the company files in a directory and to protect the file with passwords, without anyone else in the company having access to the passwords. Although he denied any knowledge about "ha-ha he-he," Briggs admitted that he placed passwords on company files months earlier as part of his job in securing files, but that he had difficulty remembering the passwords because so much time had passed. Briggs suggested that Scarborough filed criminal charges against him in order to discredit him as a government witness in a Securities and Exchange Commission investigation that Briggs had initiated alleging that certain activities at Scarborough violated federal security regulations. Briggs maintained that the computer date on the password subdirectory had been changed to incriminate him.

The State alleged that Briggs intentionally and willfully and without authorization accessed a computer system to interrupt the operation of the computer system and computer services. In his motion for judgment of acquittal, Briggs argued that he was not guilty as a matter of law (that the statute did not apply to his activities) and as a matter of fact (that he was fulfilling his employment responsibilities). Briggs reasoned that Article 27, § 146 was not intended to apply to authorized computer users who, arguably, used their positions to cause harm to their employers by misusing he computer. The State argued that Briggs was guilty of unauthorized access, because although Briggs was authorized to access the computer system, he was not authorized to access the system in such a way as to interrupt the operation of the computer services of the system. The trial court denied Briggs's motion for judgment of acquittal, and the jury found Briggs guilty of unauthorized access to computers in violation of Article 27, § 146(c)(2)(i). The court sentenced Briggs to one year incarceration, with all but two days suspended, two years supervised probation, 150 hours of community service, and a fine of $ 500. The court also ordered him to cooperate with Scarborough and required him to release any remaining password information and client files. Briggs noted a timely appeal to the Court of Special Appeals. We granted certiorari on our own motion before consideration by that court.

Appellant argues before this Court that Article 27, § 146 criminalizes the conduct of an individual who intentionally and willfully accesses a computer without authorization and is inapplicable to conduct that can be characterized as only exceeding authorized access. He concludes that the statute is inapplicable on its face because, as part of his employment, he was authorized to access the computer system. The purpose of the statute, Appellant continues, was to deter unauthorized users from breaking into computer systems, i.e., to prevent "hackers" n4 from gaining unauthorized access. Briggs distinguishes operating a computer system without authorization from exceeding authorized access by using the computer in an improper manner. He concludes that application of this statute to his conduct is contrary to legislative intent.

The State contends that even though access for other activities may have been authorized, a person, whether he is an employee, "hacker," or otherwise, violates the statute when that person "intentionally, willfully, and without authorization" accesses a computer system or any part of a computer system to cause the malfunction or interrupt the operations of the computer system or any part of that system. The State maintains that there was sufficient evidence to support the verdict because Briggs did not have authority to place passwords on the files without anyone else in the company having those passwords, and that he did so with the intent of interrupting the operation of the computer system.

 

II.

The standard for review of the denial of a motion for judgment of acquittal is "whether, after viewing the evidence in the light most favorable to the prosecution, any rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt." Jackson v. Virginia, 443 U.S. 307, 319, 99 S. Ct. 2781, 2789, 61 L. Ed. 2d 560 (1979); see also State v. Albrecht, 336 Md. 475, 478-79, 649 A.2d 336, 337 (1994). We do not inquire into the credibility of witnesses, or weigh the evidence to ascertain whether the State has proven their case beyond a reasonable doubt; that is the responsibility given to the trier of fact. Applying the above standard of review, we conclude that the conduct in this case does not constitute the crime of unauthorized access to computers, and the motion for acquittal should have been granted.

Article 27, § 146 provides, in pertinent part:

 

(c) Illegal access.--(1) A person may not intentionally, willfully, and without authorization access, attempt to access, or cause access to a computer, computer network, computer software, computer control language, computer system, computer services, computer data base, or any part of these systems or services.

(2) A person may not intentionally, willfully, and without authorization access, attempt to access, or cause access to a computer, computer network, computer software, computer control language, computer system, computer services, computer data base, or any part of these systems or services to:

(i) Cause the malfunction or interrupt the operation of a computer, computer network, computer software, computer control language, computer system, computer services, computer data base, or any part of these systems or services; or

(ii) Alter, damage, or destroy data or a computer program stored, maintained, or produced by a computer, computer network, computer system, computer services, computer database, or any part of these systems or services.

(3) A person may not intentionally, willfully, and without authorization:

(i) Identify or attempt to identify any valid access codes; or

(ii) Distribute or publicize any valid access codes to any unauthorized person.

 

Access is defined in § 146(a) as follows:

 

(9) "Access" means to instruct, communicate with, store data in, retrieve data from, or otherwise make use of equipment including, but not limited to, computers and other data processing equipment or resources connected therewith.

 

To support a conviction for illegal access to computers under § 146(c)(2)(i), the State must prove: (1) that Briggs intentionally and willfully accessed a computer or computer system; (2) that the access was without authorization; and (3) the access was with the intent to interrupt the operation of the computer services. We need not address Appellant's factual argument that he was authorized to place passwords on Scarborough's computer system, because we find the second element dispositive and hold that Appellant's access to the computer was not "without authorization" within the meaning of the statute. n5 When faced with a question of statutory construction, we look first to the plain meaning of the words of the statute, with the goal to ascertain and effectuate legislative intent. Whack v. State, 338 Md. 665, 672, 659 A.2d 1347, 1350 (1995). We give the words of the statute their ordinary and natural meaning. Gargliano v. State, 334 Md. 428, 435, 639 A.2d 675, 678 (1994). If the language of the statute is plain and clear and expresses a meaning consistent with the statute's apparent purpose, no further analysis is ordinarily required. Id. at 435, 639 A.2d at 678. On the other hand, if the language of the statute is ambiguous or unclear, "we must consider 'not only the literal or usual meaning of the words but their meaning and effect in light of the setting, the objectives and purpose of the enactment,' in our attempt to discern the construction that will best further the legislative objectives or goals." Id. at 436, 639 A.2d at 678 (quoting Tucker v. Fireman's Fund Ins. Co., 308 Md. 69, 75, 517 A.2d 730, 732 (1986)).

The statute is three-pronged. Section 146(c)(1) prohibits unauthorized access or attempted unauthorized access per se to computers. The actor's purpose or motive in accessing the computer--whether there is any intent to alter or damage the computer or the data on it--is irrelevant. Section 146(c)(2) prohibits unauthorized access or attempted access to computers with a further purpose, such as with the intent to cause a malfunction or interrupt the computer operation, or alter, damage, or destroy information. Section 146(c)(3) prohibits willful and intentional identification, publication, or distribution of valid access codes, and has no relevancy to the case before the Court. "Simple" unauthorized access, that is, without intent to damage or alter, is punishable by a maximum prison term of three years, a fine of $ 1,000, or both. "Aggravated" unauthorized access is punishable by a maximum prison term of five years, a fine of $ 5,000, or both. n6
The statute prohibits unauthorized access of a computer, computer network, or computer systems. "Access" is defined in the statute "to instruct, communicate with, store data in, retrieve data from, or otherwise make use of equipment including ... computers." § 146(a)(9). "Without authorization" modifies the word "access." Therefore, the unlawful act is unauthorized access. "Authorization" is not defined in the statute. n7 Turning to dictionary definitions of "authorize," we find that BLACK'S LAW DICTIONARY 133-34 (6th Ed. 1990) defines "authorize" to mean "to empower; to give a right or authority to act. To endow with authority or effective legal power, warrant, or right. To permit a thing to be done in the future." (Citation omitted). Similarly, WEBSTER'S NEW INTERNATIONAL DICTIONARY, UNABRIDGED 186 (2d ed. 1950) defines "authorize" to mean "to clothe with authority or legal power; to give right to act; to make legal; to legalize; to give authoritative permission to or for; to justify." The testimony at trial that Briggs had authority to enter data in the computer and to place passwords on the files to secure the data establishes that he was authorized, under the statute, to "instruct, communicate with, store data in, retrieve data from and to make use of computer data equipment and other data processing equipment." The plain language of the statute suggests that if an employee were initially permitted to "instruct," "communicate with," "store data in," or "retrieve data from" the computer system, then that employee's access would be authorized. The statute makes no reference to authorized users who exceed the scope of their authority. If the Legislature intended the statute to cover employees who exceeded the scope of their authority or who misused their authority, it could have done so explicitly. n8 We conclude that the intent of the General Assembly was to criminalize the misuse of computers or computer networks by those whose initial access was unauthorized.
The legislative history supports our reading of the statute. In 1984, in an apparent response to the inadequacies of current criminal law to address disruptive or voyeuristic acts involving computer information systems, House Bill 121, approved by both houses, and enacted as Chapter 588, 1984 Laws of Maryland, criminalized "illegal access to computers." A representative of the Department of Budget and Fiscal Planing testified in support of the bill:

 

Generally speaking, the threat [of computer crime] may be viewed as being divided into two reasonably identifiable types: 1) those associated with criminal intent or activity, and 2) those associated with the so called "hacker" type of activity, where just the challenge of penetrating the system, or some sort of "electronic vandalism" or other mischief is the objective. While outright criminal activity involving information systems is covered by current statute, the Department feels this bill provides a needed addition by directly addressing the second type of threat by prohibiting all unauthorized access, for whatever purpose, and by providing penalties for its occurrence.

 

Testimony Regarding House Bill 121, Department of Budget and Fiscal Planning (available at the Department of Legislative Reference, Bill File for House Bill 121 (1984)) (emphasis added). The legislative history thus suggests that House Bill 121 was drafted in reaction to the concern about the recent "hacker" activity. The Senate Judicial Proceedings Committee Report for House Bill 121, reported favorably by Chairman (now President of the Senate) Thomas V. Mike Miller, underscores our conclusion that the statute should apply to those who break into computers:

 

BACKGROUND:

 

 

Proponents of this bill testified that, under current law, simply breaking into a computer system to vandalize or cause other mischief is not illegal. Thus, the bill was introduced by those who feel unauthorized access alone should be a misdemeanor subject to penalties.

 

LEGISLATIVE INTENT:

 

This legislation is intended to make it a misdemeanor for a person intentionally and without authorization to access, attempt to access or cause access to a computer system. The purpose of the bill is to deter individuals from breaking into computer systems.

 

Committee Report System, Summary of Committee Report, House Bill 121 (available at the Department of Legislative Reference, Bill File for House Bill 121 (1984)) (emphasis added). The 1989 amendment to the statute, House Bill 1065, enacted as Chapter 722, 1989 Laws of Maryland, added subsections (c)(2) and (3) thereby creating two new substantive crimes with more severe penalties. Subsection (c)(2) prohibits a person from intentionally and willfully accessing a computer to cause malfunction or interrupt the operation of a computer, or to alter, damage or destroy data or program stored by a computer, and subsection (c)(3) prohibits a person from intentionally, willfully, and without authorization attempting to identify or distribute computer passwords. n9 The Senate Judicial Proceedings Committee Bill Analysis and Floor Report concerning House Bill 1065 states:

BACKGROUND:

 

This bill upgrades current computer access provisions to address recent well publicized disruptions of public and private computer systems, and invasions of personal privacy by "hackers."

 

* * * * * *

 

The first new crime penalizes the damage which hackers may wreak in illegally accessed systems, above and beyond the current penalty for the access itself.

 

Id. (available at the Department of Legislative Reference, Bill File for House Bill 1065 (1989)). Once again, it appears that the General Assembly sought to address the perceived threat from "hackers," and, in particular, the damages that they may cause beyond mere browsing. See also Testimony Regarding House Bill 1065, Delegate Samuel Rosenberg (stating "much of the current crisis revolves around underground 'hackers'") (available at the Department of Legislative Reference, Bill File for House Bill 1065 (1989)). Contrary to the State's argument, the legislative history thus suggests that House Bill 1065 was designed to enlarge the penalties related to mischievous unauthorized access, not to enlarge the definition of access. These comments and reports suggest that the intent of the Legislature was to punish access that was not initially authorized and not to punish conduct that merely exceeded authorized access.

Briggs's access was not unauthorized under Article 27, § 146, the unauthorized access to computers statute. If the law is to be broadened to include Briggs's conduct, it should be modified by the Legislature, not by this Court.

JUDGMENT OF THE CIRCUIT COURT FOR ANNE ARUNDEL COUNTY REVERSED. COSTS TO BE PAID BY ANNE ARUNDEL COUNTY.