Think Hoarding Passwords Keeps You Safe From Firing? Think Again (Forbes Cross-Post)
Terry Childs was principal network engineer for Department of Telecommunications and Information Services (DTIS) of the City and County of San Francisco. He apparently distrusted his co-workers and sought to make himself unfireable, so he arranged to become the only person with his network’s passwords. When he was suspended from his job, he refused to divulge the passwords so that his employer could reassume control over its network. The court summarizes his ill-fated steps to advance his interests rather than his employer’s:
he knowingly prevented the city from being able to use its own computer system for a period of time, deliberately configured that system so that no one else could access it, set it up so that anyone other than him attempting to enter it would erase the data stored in it, and made the network more vulnerable to external attack by the filing of an unauthorized copyright application
For taking these steps, Childs was convicted of violating California’s state computer crime law (California Penal Code Sec. 502(c)(5)), which criminalizes taking an action that “knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.” He was sentenced to four years in prison and ordered to pay nearly $1.5 million in restitution, the bulk of which compensates the employer for its post-firing efforts to find and fix Childs’ backdoors. Last month, a California appeals court upheld the conviction and restitution order.
I imagine many IT employees and software engineers fantasize about how they will “stick it to the man” through backdoors or password-hoarding if they are ever fired from their jobs. Fantasies are fine, but actually implementing the plan could turn into a criminal nightmare.
Over the years, we’ve seen other examples of employees or business partners using their control over digital assets for additional leverage. For example, I’m reminded of a 2010 ruling where a businessman was deemed a cybersquatter for holding a domain name hostage from his partner, and a 2007 ruling where a web designer was convicted of conversion because he blocked his customer from accessing the customer’s website. These digital strongarming efforts rarely fare well in court, and as Childs’ case reinforces, they could be more life-changing than just making a bad business decision.
This ruling needs to be considered in combination with California’s recent law banning employers from asking employees for their passwords to any digital data. This case addresses the flip side of that law. Just as employers can’t demand passwords for accounts that aren’t the employers’, an employee can’t legitimately withhold passwords to vital company property from employers. Unfortunately, neither this ruling nor the new California law deal with the common situation where an employee’s passwords controls access to a resource (hardware, software, online accounts) that is being simultaneously used for both employer and personal purposes. The Childs ruling doesn’t purport to address that situation, though it would be quite troubling if the ruling suggests that a person could be criminally prosecuted for withholding passwords for such “mixed-use” resources.
Case citation: People v. Childs, 2013 WL 5779044 (Cal. App. Ct. Oct. 25, 2013)