Petition from the Internet Community to
the Computer Law Section of the Oregon State Bar

Sections: Body of petition | Background | Questions? | List of signers (now closed to new signatures)

The purpose of this petition is to request that the Section strongly urge the Oregon State Legislature to revise ORS 164.377 with the input of a recognized computer professional body in such a way that the law addresses the very real concerns about computer sabotage and theft facing many individuals and corporations today, while maintaining a serious and reasonable stance on what is considered to be legal and acceptable computer use.

As it exists at present, Oregon Law (ORS 164.377) provides in part:

• (2) Any person commits computer crime who knowingly accesses, attempts to access or uses, or attempts to use, any computer, computer system, computer network or any part thereof for the purpose of:
  
  • (a) Devising or executing any scheme or artifice to defraud;
    (b) Obtaining money, property or services by means of false or fraudulent pretenses, representations or promises; or
    (c) Committing theft, including, but not limited to, theft of proprietary information.
    

  (3) Any person who knowingly and without authorization alters, damages or destroys any computer, computer system, computer network, or any computer software, program, documentation or data contained in such computer, computer system or computer network, commits computer crime.
  (4) Any person who knowingly and without authorization uses, accesses or attempts to access any computer, computer system, computer network, or any computer software, program, documentation or data contained in such computer, computer system or computer network, commits computer crime.
  

On September 11, 1995, Randal Schwartz, co-author of the O'Reilly "Programming Perl" book and long time Usenet contributor, was convicted in Washington County Circuit Court (C94-0322CR) under ORS 164.377 of three Class C felonies. The charges were based upon a complaint made by Intel Corporation for actions which occurred while Randal was working, as a contractor for Intel, performing general programming and computer system administration duties.

Many people familiar with the case and associated with the computer field feel that the actions for which Randal was prosecuted were minor infractions against unstated or improperly clarified corporate policies and would have been more properly dealt with at the company administrative level rather than as a matter of criminal law.

The Internet community is gravely concerned over the chasm growing between legal attempts to define normal and responsible computer behavior and the beliefs and practices of the people actually working in the area.

The Oregon Computer Crime law, while perhaps formulated with good intentions in mind, is far too vague, general and out of touch with the realities of normal day-to-day computer use. The wording of the law makes many routine, commonly accepted actions involving a corporate computer apparently illegal and practically every company computer user a criminal. It is impossible to use or communicate with a computer without altering its state in some manner, and the law provides no standards for determining objectively what is considered "authorized" and what is not. Nothing is said about whether the requisite authorization may be verbal or must be in writing or what the source of that authorization ought to be.

There is nothing in this statute indicating whether authorization will be presumed from the user's general access rights, although such presumptions are to be found in comparable legislation in other states.

The law fails to distinguish between actions which lead to minor and normal alterations of a computer's state, and those which lead to major alterations which affect the computer's functionality or ability to properly perform necessary or critical operations.

The language "for the purpose of" from ORS 164.377(2) appears nowhere else in the Oregon criminal code and it is not among the express culpable mental states set out and defined in ORS 161.085. Used in conjunction with "intent to commit theft," as it is, it effectively incorporates two levels of culpable mental state without any attempt to designate to which elements each, or both, apply.

In this connection, reliance on traditional property law concepts inherent in the statutory notion of "theft" is particularly unwise in the context of computer crime. In the Schwartz case, the trial court held, in effect, that it constituted theft for a technician to copy a file from one of his employer's computers to another of his employer's computers without the slightest indication that any effort was made to remove the file from the employer's custody or control. This and other aberrations are easily foreseeable, and will multiply in number with the proliferation of the new technology, unless the statute is rectified to reflect the realities of work in the computer industry.

ORS 164.377 defines computer as follows: "'Computer' means, but is not limited to, an electronic device which performs logical, arithmetic or memory functions by the manipulations of electronic, magnetic or optical signals or impulses, and includes all input, output, processing, storage, software or communication facilities which are connected or related to such a device in a system or network." "Device in a system or network" is all inclusive. It may easily be read to include electronic cash registers, parcel delivery tracking devices, calculators and even Gameboys (tm). Consequently, by very definition and because of the unnecessary overbreadth of language, the current law puts a Class C Felony within reach of just about every service industry worker in the State of Oregon. Moreover, because of the lack of limits on the definition, the law makes it very easy for employers to use the criminal courts to respond to sensitive issues that should be dealt with internally.

Oregon's Computer Crime law was hastily formulated without necessary input and advice from those groups and individuals most familiar with the issues involved and most able to help clarify what the problems and reasonable possible legal solutions should be.

The result is an unhealthy situation in which users and administrators are apparently either forced to routinely break the law in order to get their jobs done, and live under the constant threat of being prosecuted for trivial actions, or instead have their production grind to a halt while they ask for authorization for each step they have not been given previous explicit permission to execute. No other profession is forced to submit to such a state of capricious and subjective restrictions.

We request that you examine this statute and find, as we do, that it is a disastrous measure. We ask that you urge the legislature to repair it immediately, more clearly defining the requisite intent and authorization and limiting the crime itself by eliminating the anachronisms.

SIGNERS OF THE PETITION:

The names and affiliations of those signing the petition will be publicized on the World Wide Web and elsewhere. Statistics describing the signers are available. Signers' anonymous comments may be viewed.

MORE BACKGROUND:

Full text of the Oregon law and the definitions used within are located on the World Wide Web at:

Details of the charges brought against Schwartz as well as discussions concerning the case can be found at the location:

One analysis of the case and issues involved can be found at:

This petition can also be found at:

QUESTIONS:

Administrative and status questions about the petition can be directed to

URL: http://www.lightlink.com/fors/us2oregon/index.html
Thanks to a2i for donating signature collection resources.
Revised to reflect closure, January 20, 1999.