All About Exceeding Authorized Access
The Bencher—November/December 2020
By James Juo, Esquire
The Computer Fraud and Abuse Act (CFAA) was enacted back in 1986 as an amendment to the Comprehensive Crime Control Act of 1984. Created to criminalize computer hacking, it is said to have been inspired in part by the movie “WarGames.”
The CFAA has been called one of the broadest federal criminal laws on the books. Berkeley law professor Orin Kerr likes to joke that he is “a criminal in the Eleventh Circuit” because he gives a false location when he visits Facebook in violation of Facebook’s terms of service, “which according to the DOJ and the Eleventh Circuit is a federal crime.”
The legal theory is trespass upon a computer. The CFAA imposes liability on a person who “intentionally accesses a computer without authorization” or “exceeds authorized access” to obtain information from a protected computer. The statute was originally designed to protect computers having a specified federal interest such as national security, financial records, and government property, but it has been expanded a number of times since then. For example, the statute was expanded in 1994 to allow private entities to assert a civil cause of action and obtain compensatory damages and equitable relief. In 1996, the CFAA was amended to expand the class of protected computers to include any computer “used in interstate or foreign commerce or communication.” Thus, the scope of this statute went from a limited set of protected computers to potentially any internet-connected computer in the United States.
The CFAA has been asserted to cover a wide range of activity, such as cracking or stealing passwords, exploiting code-based security flaws, launching a denial of service attack on a website, spoofing IP addresses to avoid access restrictions, allowing an unauthorized person to use the valid password of another, violating a website’s ever-changing terms of service, and accessing information stored on an employer’s computer for a competing business. In recent years, private companies have used the CFAA against disloyal employees who, before they resign, often still retain full access to computer systems and can copy data prior to their departure. Many civil cases involving the CFAA arise from trade secret and employment litigation in which a defendant uses authorized credentials to obtain computer access to information in a manner prohibited by confidentiality agreements or employment policies. One advantage of using the CFAA is that the statute is focused on the issue of computer trespass more than on the quality of the computer data being accessed.
A circuit split, however, has developed over how to interpret “without authorization” and “exceeds authorized access” under the CFAA. The First, Fifth, Seventh, and Eleventh Circuits have broadly interpreted the CFAA to prohibit, in addition to traditional computer hacking, use-based violations such as misusing or altering computer data that the user was otherwise authorized to access. The Second, Fourth, and Ninth Circuits, on the other hand, have adopted a narrower interpretation of the CFAA that focuses on technological restrictions and does not criminalize violations of a company’s computer use policies. Under this narrower interpretation, the “exceeds authorized access” language in the CFAA is limited to violations of restrictions on access to information and not restrictions on the use of that information.
In a hypothetical example of the consequences that may arise from giving a private party’s use policies the force of law from the Ninth Circuit’s en banc decision in United States v. Nosal, Judge Alex Kozinski noted that dating websites have terms of service that “prohibit inaccurate or misleading information” and that under the government’s proposed interpretation of the CFAA, “describing yourself as ‘tall, dark, and handsome’ when you’re actually short and homely will earn you a handsome orange jumpsuit.” Another example was that many workplaces also have policies that forbid using the internet at work for a non-work purpose, and the tendency of people’s minds to “wander” and “procrastinate” by connecting to the internet at work for a non-work purpose “would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”
With the circuits split, whether a company’s computer-use policy can be the basis for a CFAA claim against a disloyal employee may depend on which part of the country the alleged unauthorized access happens to occur. Regardless, any business with a computer network should maintain appropriate physical and technological barriers as part of its internal security protocols and data protection strategies for sensitive information, especially for a company with branches in multiple states. Also, with respect to computer crimes, businesses would still have recourse to other laws such as trade secret misappropriation, including under the Defend Trade Secrets Act, wire fraud, or breach of contract, instead of the CFAA.
Periodically, there have been legislative efforts to reform the CFAA over the years. Shortly after the Nosal decision, for example, a bill titled Aaron’s Law Act of 2013 (named after Aaron Swartz, who committed suicide after being criminally charged and threatened with 35 years in prison for downloading a large number of academic journal articles without authorization, in violation of the CFAA) was proposed that would have limited the CFAA to circumventing technological measures. But that bill went nowhere.
In April 2020, however, the U.S. Supreme Court granted certiorari to review Van Buren v. United States, where Nathan Van Buren, a Georgia police officer, was convicted of violating the CFAA for improperly using the Georgia Crime Information Center database on behalf of an acquaintance who wanted to learn whether or not a dancer at a local strip club was an undercover officer. As a police officer, he was supposed to run database searches only for law enforcement purposes, but instead ran the search for a $6,000 cash payment. Unfortunately for him, this was part of a police sting.
Arrested by the FBI, convicted under the CFAA, and sentenced to 18 months in prison, Van Buren appealed his conviction to the Eleventh Circuit. However, the Eleventh Circuit is one of the circuits that follows the broader interpretation of the CFAA, and his conviction was upheld. That conviction now will be reviewed by the Supreme Court.
Van Buren’s brief argues that “exceeds authorized access” means one is “not entitled so to obtain” the information in the manner described in the statute, namely via computer. The CFAA is aimed at the problem of breaking into computers without permission, and such “hacking” occurs only when someone accesses information that he has no right at all to obtain.
The United States’ brief, on the other hand, argues that someone is “entitled” to do something only when granted a right to do it. And one is “entitled so” to do something only when granted a right to do it in a particular manner or circumstance. Here, Van Buren was specifically forbidden from using his access outside his law enforcement duties, so he plainly was “not entitled so” to obtain confidential database information in that circumstance.
The Electronic Freedom Frontier wrote an amicus brief arguing that standard security research practices—such as accessing publicly available data in a manner beneficial to the public yet prohibited by the owner of the data—can be at risk under a broadly interpreted CFAA, which hinders the organization’s work. For example, when vulnerabilities in election machines made by Election Systems and Software (ES&S) were discovered by security researchers, ES&S threatened legal action in response. And, in 2019, the mobile voting company Voatz reported a University of Michigan student to the FBI because the student was conducting research into Voatz’s mobile voting app for an election security class.
Kerr’s amicus brief in Van Buren describes the fundamental question of whether violating verbal limits on computer use should trigger CFAA liability. Or, put another way, “whether words control authorization.” Computer owners allowing others to use their computers subject to verbal restrictions on how that use can proceed can be considered a “contract-based” limit rather than a code-based or a technology-based limitation. While authorization based on technology is universally accepted, criminalizing computer authorization based on words has been deeply controversial. Kerr advocates that the court should adopt the code-based approach to CFAA liability and reject the contract-based approach.
Amicus briefs in support of Van Buren also have been filed by others, including the American Civil Liberties Union, the National Whistleblower Center, and a group of media companies such as ALM Media and The Washington Post.
On the other side, the Federal Law Enforcement Officers Association filed an amicus brief arguing that the computerized systems used by federal law enforcement contain massive amounts of highly sensitive data and that a purely technological interpretation of “authorization” under the CFAA would present a dilemma in choosing to administer those systems to give legitimate users the greatest freedom to conduct their work efficiently for the public safety—but risk insider abuse of those systems without the possibility of redress through the CFAA.
On September 16, 2020, this case was set for argument on Monday, November 30, 2020. The Supreme Court hopefully will soon provide some much-needed clarity on what it means to “exceed authorized access” under the CFAA.
James Juo, Esquire, is a patent and trademark attorney with the law firm of Thomas P. Howard LLC in Louisville, Colorado, where his practice includes the prosecution and litigation of intellectual property. He is a board member of the Colorado IP American Inn of Court.