Monday, October 28, 2013
C.A. Upholds Conviction of Former S.F. Network Administrator
Justices Say Engineer Committed Crime by Refusing to Turn Over Passwords He Created
By KENNETH OFGANG, Staff Writer
A former administrator of San Francisco’s municipal computer system was properly convicted of tampering with the network, the First District Court of Appeal ruled Friday.
Div. Four affirmed Terry Childs’ conviction under Penal Code Sec. 502(c)(5), which makes it a crime to “[k]nowingly and without permission disrupt or cause the disruption of computer services or den[y] or cause the denial of computer services to an authorized user of a computer, computer system, or computer network.”
In upholding the conviction, the panel rejected Childs’ contention that the statute was intended to apply only to hackers, not to an authorized user accused of accessing the system for a nefarious purpose.
A San Francisco Superior Court judge sentenced Childs in 2010 to four years in state prison—with more than two years credit for time he had already served, enabling him to be paroled within months. He was also ordered to pay more than $1.4 million in restitution.
He spent that time in jail after his arrest because prosecutors persuaded a judge to set bail in the amount of $5 million, saying that Childs was a danger to the community because he had the remote capability to damage the network.
Prosecutors accused Childs—who spent five years with the city as the principal engineer for the Department of Telecommunications and Information Services—of locking up the city’s FiberWAN network for about 12 days in 2008. They charged that he told a fellow worker that he had the “keys to the kingdom”—the passwords to the system’s switchers and routers, which he had unilaterally changed, making it impossible for the city to fire him or outsource his work..
They said Childs’ had reason to fear such consequences—he had failed to disclose a significant criminal record when he was hired.
He eventually gave the passwords to then-Mayor Gavin Newsom, now the state’s lieutenant governor, during what one technology publication described as “a dramatic jailhouse visit.”
Childs defended his actions during his trial, saying that he was only doing his job, and that his supervisor, Department of Technology and Information Services Chief Operations Officer Richard Robinson, was unqualified to have access to the passwords.
According to testimony, Childs repeatedly refused to hand over passwords to his supervisors because he was concerned that the passwords would be indiscriminately shared with management and third-party contractors, thereby jeopardizing the security of the network. He said he had been instructed by Childs Herbert Tong, the manager of DTIS’s network engineering unit and a subordinate of Robinson’s, not to give the passwords to unauthorized persons.
Justice Timothy Reardon, writing for the Court of Appeal, rejected Childs’ argument that as an authorized employee of the city, he could not be convicted of disrupting service on the network he was responsible for.
The justice acknowledged that this may have been the first case in which a defendant was convicted of a crime solely for refusing to hand over passwords. But that doesn’t mean it wasn’t a crime, he said.
“The correct inquiry is not whether an employee has ever been convicted of the charged offense on the basis of similar conduct in the past, but whether the legislature intended to hold criminally liable one who acted as Childs did,” the justice wrote.
He concluded that lawmakers had such an intent, rejecting the argument that the statute’s language implies that only a person who lacks authorization to enter the system can be guilty of disrupting it.
He cited a statement of legislative intent in the law, and added:
“The Legislature’s requirement of unpermitted access in some section 502 offenses and its failure to require that element in other parts of the same statute raise a strong inference that the subdivisions that do not require unpermitted access were intended to apply to persons who gain lawful access to a computer but then abuse that access.”
In an unpublished portion of the opinion, he rejected a vagueness challenge to the statute.
Any reasonable person, Reardon said, would have understood that in prohibiting use of the system “without permission,” the statute required an employee to follow “the direct instruction of his supervisor to divulge information that his employer owned and had the right to know,” and that his refusal to turn over the passwords constituted a disruption or denial of service.
The case is People v. Childs, 13 S.O.S. 5477.
Copyright 2013, Metropolitan News Company