Accessing Someone Else’s Facebook Account in Florida is a Crime

Data Breach

Relying upon a statute which has been amended twice since 1978, it is a crime in Florida to access someone else’s social media account without their authorization.  This likely happens dozens of times a day in this state, likely as a joke or a prank, which have or could lead to criminal charges.  Some of the more pernicious circumstances (e.g., cyberstalking and/or revenge porn) have arisen to the appellate level.

There is a handful of cases, including the December 2017 case of Joel Alan Umhoefer v. State of Florida,  which reveal that Florida’s Computer Crime Act needs updating and that, as currently written and interpreted, a person’s ability to defend against charges lies in their counsel’s detailed knowledge of the social media discovery and admissibility of internet content.

According to the Second District’s opinion, Umhoefer (born in 1982) developed an online relationship with a then-14 year old girl in 2012.  This relationship was sustained to some extent for two years, during which time Umhoefer sent stuffed animals and a laptop to the child.  In August 2014, an injunction against dating violence was issued when he became jealous of the (then-16 year old) girl’s same-age boyfriend.  Two months later, Umhoefer accessed the girl’s Facebook account, found sexually-explicit communications between the girl and her boyfriend, and Umhoefer sent those to the girl’s mother.  During trial for unauthorized access of a computer network or electronic device, the girl testified that she set up the subject Facebook account in June 2014 and never gave out the password.  A forensic computer expert testified that the defendant used Pass Finder to bypass password protections (evidence that his access was unauthorized) and further explained that the messages Umhoefer accessed “are not stored locally but on Facebook’s server farm, which is a network of computers that provide service and content access.”

Florida Statute 815.06(2)(a) sets out that “a person commits an offense against users [of a device or network] if he or she willfully, knowingly, and without authorization… accesses or causes to be accessed any computer, computer system, network, or electronic device with knowledge that such access is unauthorized.”  The clunky definition of “computer network” is here.

Once the State had sufficient evidence that Umhoefer’s use of Pass Finder led him to obtain the girl’s password without authorization, you might think that the case was closed.  Likewise, once the State’s expert explained that Umhoefer used the illegally-obtained password to access the girl’s Facebook account on the internet, you might think that too would seal a violation of the statute.

But a curious, prior case in 2015 held to the contrary when the First District opined, in Mario Crapps v. Florida, that proof a defendant “accessed one of the listed tangible devices” is not the same as “the defendant access[ing] a program or information on the device without authorization.”  The reasoning, on a technical level, is not explored in the opinion — and perhaps with good reason since it is self-evident that accessing an account on the internet means accessing a network.  The Crapps court reversed because the State failed to present evidence: “Nothing in the record establishes or explains how accessing an Instagram account works from a technological perspective, leaving unanswered whether or how Appellant’s actions amounted to accessing a specific computer, computer system, or computer network.”  Of note, Crapps appears to be the first published opinion in Florida about Instagram.

Back in the Umhoefer case, the Court was not impressed with the “Crapps” argument, pointing out that the Crapps case hinged upon the state attorney’s failure to present evidence and was not clear precedent interpreting the Computer Crimes Act.  The State did not make the same mistake in Umhoefer’s case.

What’s the bottom line?

Whether it be a prank or an intentional crime, accessing another person’s email or social media account can be charged as a crime under Florida’s statute.  It can further lead to a civil suit and monetary liability.  As the Court noted in Crapps, there is also the relatively new “revenge porn” or “sexual cyberharassment” statute, F.S. 784.049 which is also available.

The defense of these cases turns largely on admissions by the defendant before obtaining a lawyer; the State’s method of collecting evidence; knowledge of social media and computer forensics; and adroit use of Florida Rules of Evidence as it relates to emerging technologies such as social media and internet / networking issues.  Moreover, a lawyer needs to understand the history and the potential gaps in Florida’s aged statute.  If you, your children, family members, or employees are charged with (or are looking to pursue) a Computer Crimes Act or Revenge Porn case in Florida, question your prospective counsel on his or her knowledge of these statues, cases, evidence rules, and technical knowledge.

 

Data Breach
Christopher Hopkins to Discuss CyberSecurity and Technology Trends for Mediators and Arbitrators (Palm Beach Bar Association)

A great thanks to the Palm Beach Bar Association for inviting me to speak about cyber security and technology trends at the annual ADR CLE/CME on Monday, February 10,. 2020. This year the theme is “The New Flavors of ADR” and I can assure you that “the cyber” and tech …

1st Amendment
Florida Statute Criminalizes School Shooting & Bombing Threats – How Does Law Enforcement Locate People Who Post Online Threats? (O.P-G. v. Florida)

Two days after the Parkland School shooting in Broward County, a middle school student twenty miles away in Miami Lakes, Florida decided to post on YouTube the following: “I[’]m going to shoot my school in [F]lorida[.] [I’]m only 13[.] I got bull[ied] and [I’]m getting my revenge with my guns[.] …

Data Breach
Christopher Hopkins Discusses Cybersecurity & Technology for Lawyers At Law Firm Leaders Summit

I was invited to speak today in Tampa about cybersecurity and technology for lawyers at the Law Firm Leaders Summit conference. I presented to both “small firm” and “large firm” tracks at the seminar. We covered: Getting hacked on public wifi Phishing, Spearfishing and other hacks Ransomware U.S. Government’s “NIT” …