Unauthorized access to restricted websites OK
If you have a password protected website and someone gains access to it, they have violated the federal Wiretap and Stored Communications Acts, right? Don’t count on it anymore.
The U.S. Court of Appeals for the Ninth Circuit says that such action does not violate the federal Wiretap Act and may not violate the Stored Communications Act either. The opinion of the court is a reversal of its earlier ruling in the same case. In Konop v. Hawaiian Airlines, the appellate court wrote last year that when a vice president of the airline gained access to a restricted website maintained by Konop to read unflattering information on the airline, the manager violated both federal statutes. However, in an unusual move, the court withdrew its opinion some nine months later and now has issued a new opinion with a different result.
Here are the facts. Konop was a pilot for the airline and a union member. He set up a website that was critical of the airline’s management. In order to gain access to his website, a person had to be a pilot on a list that Konop maintained and had to obtain a password. The user agreement for the site specifically stated that airline management was prohibited from the site and that all information on the site was confidential. Further, the user agreed not to furnish the information to anyone else. The airline’s management convinced two pilots to let a vice president use their names to log onto the website over two dozen times. Konop eventually was fired by the airline.
Konop sued to get his job back and also alleged that the airline violated the federal Wiretap Act and the Stored Communications Act by gaining access to his restricted website. Under the federal Wiretap Act, it is a violation to intentionally intercept electronic communications. The court found that an interception only can occur if it is “contemporaneously with their transmissions.” Since the information that the manager obtained from the website was in “storage,” there is no interception and no Wiretap Act violation. The court found that transmission only happened when the information was initially put into storage. Since the electronic information was in storage and since the manager was not approved to access the information, he would be violating the Stored Communication Act that prohibits a person from intentionally accessing “without authorization” a facility to obtain information in storage when he logged in under the pilots’ names, right? Not necessarily. The court found that since any authorized “user” also can authorize any third party to access the information, then the question is whether the pilots who gave permission to management were users of the site. If the pilots in the past had not “used” the site, then the manager’s logging on would be a violation of the Stored Communications Act. Because the record did not indicate whether the pilots were users, the court had to assume that they were not users. However, the court’s language indicates that if the pilots had used the site in the past and then gave the log-on information to management, there would be no violation. What this case means is that even if you try to restrict your website to only certain users, if someone gets on the site anyway and downloads the information, it is not a violation of the Wiretap Act. And, more troublesome, if one of your authorized users has viewed the site and then gives out his username and password to someone else, there is no violation of the Stored Communications Act. Apparently, the only recourse is through a contract action for violation of the site use agreement but that would be against the authorized user, not the imposter.