According to press reports, front-office personnel of the St. Louis Cardinals used a guessed password to gain access to a private database of player information held by the Houston Astros. Over at ESPN, legal analyst Lester Munson makes the startling claim that this may not be a crime:
Q: Is it actually a crime to hack into the data and the files of a Major League Baseball team?
A: It’s certainly ethically questionable, but whether it is a crime is far less certain. It appears that Cardinals’ front office officials succeeded in obtaining information on Astros prospects and trade strategies. But for a federal prosecutor to charge Cardinals executives with “unauthorized access” to computer information or theft of proprietary, non-public information, the prosecutor must be able to show that the information was the work product of significant efforts by Astros officials and, more importantly, was not available elsewhere.
In addition to showing that the stolen information was not otherwise available, the prosecutor must be able to show that Cardinals executives knew they were committing a crime. If the Cardinals’ activity was just a dirty trick or an attempt at getting even with a former colleague, the hacking might not qualify as a crime.
This is just wrong. The most obvious federal crime based on the alleged facts is 18 U.S.C. 1030(a)(2), intentionally gaining unauthorized access and obtaining information. Here’s the text:
Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished as provided in subsection (c) of this section.
There is no requirement that the information be “proprietary, non-public” information, or that it is “the work product of significant efforts by Astros officials . . . not available elsewhere.” The statute is clear: The information just needs to be, well, “information.” Any information of any kind will do. Yes, the information has to be from a “protected computer.” But pretty much everything with a microchip is a “protected computer,” and obviously a computer connected to the Internet counts as one. Nor is there any requirement that they “knew they were committing a crime,” or that they didn’t just see this as “a dirty trick.” There is no “mere dirty trick” excuse in federal criminal law.
Importantly, there are still a lot of we don’t know about the alleged Cardinals hack. Section 1030(a)(2) is just a misdemeanor, and federal prosecutors rarely charge mere misdemeanors. So the important investigative issue is whether the facts will support a more serious felony charge. You can get to different felonies in different ways, but the FBI is probably looking at whether any of the felony enhancements for 1030(a)(2) crimes may apply. Under the law, a 1030(a)(2) misdmeanor becomes a felony when any one of these three circumstances occur:
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000;
Based on a quick skim, I haven’t seen press reports that answer whether the facts trigger one or more of these felony enhancements. But that’s where the legal issues are likely to be. If the basic allegations are true, the hack was clearly a crime. The only question is how serious a crime it was.
Thanks to Dan Epps for the pointer.