An Ohio appellate court has upheld the felony hacking conviction of a man who was found guilty of unauthorized access for misusing his computer at work.

Richard Wolf acknowledged that his behavior was inappropriate when he used his work computer to upload nude photos of himself to an adult web site and view other photos on porn sites, but he didn't think he should be convicted of hacking for doing so.

A jury disagreed and felt he exceeded his authorization on the computer, which the appellate court recently upheld (.pdf).

Mark Rasch, a former federal prosecutor of computer crimes, called the conviction a misuse of the computer hacking law.

"This goes to the whole concept . . . that violation of an internal policy on the use of a computer can be piggybacked to make a crime," said Rasch, who now works as a consultant for Secure IT Experts. "His uploading of nude pictures is certainly inappropriate and something he could be terminated for, but it was perfectly legal. When you use the heavy hand of the criminal law to prosecute inappropriate behavior, it's just an abuse of the criminal statutes."

Wolf was also convicted of soliciting a dominatrix online for sexual services, a misdemeanor. Rasch says using the computer evidence for proof of this crime is appropriate, but charging him separately for felony hacking goes too far.

Rasch said the problem stems from an amendment that was made to the federal Computer Fraud and Abuse Act – the federal anti-hacking law – that states have added to their own statutes.

"The early statute only talked about unauthorized access – which is breaking into computer," he said. "But then they amended it to say 'or exceeding the scope of authorization to access a computer'."

The amendment was intended to target employees who have access to a computer but abuse that access to obtain data they shouldn't have or go into parts of their employer's network they shouldn't enter.

The amendment arose from the case of an IRS employee who was caught looking up tax returns on an assistant district attorney who was prosecuting his father, among others. Authorities tried to prosecute him on hacking charges but ran into difficulty since he was authorized to use the computer system.

Unfortunately, Rasch says, the amendment created an opportunity for prosecutors to interpret the law too broadly.

"That term 'exceeding authorization' is very loose and ambiguous," he says.

The case began when Larry Wise, the Superintendent of the Shelby City Wastewater Treatment Plant, where Wolf was employed, was deleting old files from a work computer and found a nude photograph of Wolf.

When police interviewed him, Wolf admitted that in January 2006 he joined a web site called Adult Friend Finder to meet women and that, in violation of established work practices, he uploaded nude photos of himself from his work computer after women he met online requested pictures. He also admitted accessing various porn sites and spending more than 100 hours doing personal business on his work computer.

Forensic analysis of the computer's temporary internet files uncovered 703 pornographic photos as well as several sexually explicit e-mails Wolf exchanged with a dominatrix named Mistress Patrice, soliciting her services.

Wolf was convicted on state charges for three counts: unauthorized access to a computer, a felony; theft of services in office (essentially for depriving the city of his paid services while he conducted the unauthorized activities on a city computer on city time), which is also a felony; and solicitation of prostitution, a misdemeanor.

He was sentenced to 15 months and a $5,000 fine for the two felony convictions and ordered to pay the city about $2,400 in restitution for personal business on city time. On the misdemeanor solicitation charge, he was sentenced to 60 days (to run concurrently with his other sentence) and a fine of $500. His sentence was later reduced to two and a half years in "community control."

Wolf argued for appeal on grounds that there was insufficient evidence for any of the convictions and that the convictions for unauthorized use of computer and theft of service in particular "are contrary to public policy and create such a manifest miscarriage of justice that such convictions must be reversed."

The Ohio hacking statute reads in part that "No person, in any manner and by any means, including, but not limited to, computer hacking, shall knowingly gain access to, attempt to gain access to, or cause access to be gained to any computer, . . . without the consent of, or beyond the scope of the express or implied consent of, the owner of the computer, . . . or other person authorized to give consent.”

The appellate court wrote that Wolf's conduct was “beyond the scope of the express or implied consent" and the charge of unauthorized use of a computer was based upon sufficient evidence.

The appellate court vacated the theft-of-service conviction, however.

Judge John Wise wrote that "while the State presented evidence Appellant spent approximately 100 hours over a five month-period utilizing internet websites that were not related to his job, there was no evidence presented that his job performance suffered or that he failed to perform his job duties.

"Furthermore, even if it could be shown that Appellant failed to perform

such job duties, while it could certainly serve as a basis for termination from his

employment, such could not be the basis of a criminal theft in office charge."

One of the judges wrote a dissenting opinion on this point, saying the state had proven that the city experienced a measurable loss for the time Wolf wasted on the computer.

The county assistant prosecutor said her office will appeal the ruling to the state supreme court.

UPDATE: David Carto, the attorney who handled Wolf's appeal, told Threat Level that Wolf was prosecuted because authorities disapproved of the material he viewed online.

"The reason he was prosecuted was clearly because of the content of what he was looking at," he said. "If somebody else had been on an internet site studying horticulture, I don't think he would have been prosecuted. It was not obscene. It was just something that was not approved of by certain elements of the city government and by the court in which he was tried. The prosecutor and the judge both treated this basically as a sex offense."

Carto said the photos Wolf viewed were profile pictures from the adult dating site he visited. Some of the profile photos of women on the site showed nudity but not sexual acts.

He said his client was a good worker and had even been promoted after his supervisors found the pictures. Initially he was suspended while police investigated the case, but was promoted after he returned to work. He lost his job, however, when he was convicted of the charges.

He added that the city had never actually disseminated a policy regarding internet usage to tell workers what was inappropriate.

"They had crafted one but they hadn't published it," he said. "So there was in effect no policy and no protections on the computer – no password protection or filtering of any kind – so basically anybody could access anything on the internet through the city's computer."

Photo showing a random computer: chunter01/Flickr