The Computer Fraud and Abuse Act (CFAA) and its provisions have been the subject of significant criticism recently, particularly following the prosecution of Internet activist Aaron Swartz for allegedly downloading academic papers in an apparent attempt to make the information more widely available. He reportedly did so not for any personal profit or financial gain, and ultimately returned all of the content that he downloaded. His subsequent suicide tragically amplified what some are calling the absurdity of his prosecution under the very broad provisions of the CFAA.
The CFAA prohibits certain computer use "without authorization" or that "exceeds authorized access," and defines that term as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." See, 18 U.S.C. section 1030(e)(6). Violations are subject to criminal penalties including fines and up to 10 years imprisonment. It also authorizes a civil action, if one of the factors set forth in (c)(4)(A)(i) are present.
Critics complain that the terms of the CFAA can be so broadly interpreted that it can lead to consequences that were not intended by the enactment of the statute.
One area that has garnered particular attention is the application of the CFAA provisions to employees who misuse company computers.
Generally, in employee cases, the question of liability turns on whether the employee "exceeds authorized access" rather than acted "without authorization," because the employee usually has some level of authorization, as opposed to hackers who have no authorization at all.
In 2012, the Ninth and Fourth Circuits issued opinions narrowly interpreting "exceeds authorized access" in the context of employees' misuse of company computers that cemented a split among the federal courts of appeal on this issue.
Circuits Narrowly Construing the CFAA
9th Circuit: US v. Nosal
In US v. Nosal, 676 F.3d 854 (9th Cir. 2012), the Ninth Circuit held that "the phrase 'exceeds authorized access' in the CFAA does not extend to violations of use restrictions", that is, the term is limited to "violations of restrictions on access to information, and not restrictions on its use."
In that case, Nosal used to work for Korn/Ferry, an executive search firm. He left the company, and then he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company's computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had an employment policy that prohibited disclosing confidential information. Nosal was charged with multiple counts including violations of the CFAA, for aiding and abetting the Korn/Ferry employees in exceeding their authorized access with the intent to defraud.
In finding that the CFAA's prohibition did not apply to Nosal's case, the Court reasoned that because the employees had permission to access the company database and obtain the information they did, the counts for violations of the CFAA failed because the element of "without authorization, or exceeds authorized access" was not met.
To find otherwise, the Court reasoned, would result in absurd consequences. "Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," wrote Chief Judge Kozinski, on behalf of the majority. Employees who send personal emails, read the sports, or do sudoku on their work computers, when their employer requires computers to only be used for business purposes, would be subject to potential violations of the CFAA.
Applying the rule of lenity, the Court held: "We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals."
In dissent, Judge Silverman rejected the majority's concerns with casual violations of use policies. "In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men -- far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy." The majority's "hypertechnical" interpretation of the statute distorted the obvious intent of Congress, Silverman wrote, and failed to look at the crimes committed by defendant and his co-conspirators.
4th Circuit: WEC Carolina Energy Solutions LLC v. Miller
In July 2012, the Fourth Circuit Court of Appeals followed U.S. v. Nosal, and concluded that "without authorization" and "exceeds authorized access" do not extend to the improper use of information validly accessed. WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) (Certiorari dismissed, January 2, 2013). Judge Floyd determined, that the terms "apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access."
Defendant allegedly downloaded proprietary information from his employer before he resigned and used it in making the presentation on behalf of a competitor to his former employer, to a potential customer.
The Fourth Circuit agreed that the rule of lenity should apply, and that the statute should be construed narrowly. "Here, Congress has not clearly criminalized obtaining or altering information "in a manner" that is not authorized. Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter."
Circuits Interpreting the CFAA Broadly
In contrast, the First, Fifth, Seventh, and Eleventh Circuits have taken a much broader view of the CFAA.
In one of the earliest cases, EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, (1st Cir.2001), the former employee of a travel agent, violated the confidentiality agreement with his former employer, by using confidential information that he had obtained as an employee. He hired someone to create a program that "scraped" information from his former employer's website that he could not have obtained as efficiently without the use of confidential information. Although the website was open to the public, so he was authorized to use it, he exceeded his authorization by using confidential tour codes to obtain better access than other members of the public. The Court found that the employer would likely succeed on its CFAA claim against its former employee based on the breach of the confidentiality agreement
In International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006), the defendant decided to go into business for himself, in breach of his employment contract. Before returning his company laptop, he deleted all of its data by loading into the laptop a secure-erasure program, which was designed to write over the deleted files to prevent their recovery. This would prevent the employer from obtaining all the data he had collected and also from seeing his improper conduct. Judge Posner, writing for the Court, held that defendant acted "without authorization," because "his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee."
Judge Posner noted that the difference between "without authorization" and "exceeds authorized access" was paper thin. Citrin's case was different from EF Cultural Travel BV, Judge Posner concluded, because the breach of the duty of loyalty terminated the agency relationship, as a result removed his authorization for access altogether.
In US v. John, 597 F.3d 263, 271-73 (5th Cir.2010), the Fifth Circuit held that an employee of Citigroup exceeded her authorized access in violation of the CFAA when she accessed confidential customer information in violation of her employer's computer use restrictions and used that information to commit fraud. There, although the employee had authorization to use the company computer for lawful business purposes, the Court reasoned that because she knew her purpose for accessing the information violated company policy and was part of a criminal scheme, finding a violation of the CFAA was proper.
The Eleventh Circuit held in US v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) that that an employee of the Social Security Administration exceeded his authorized access under the CFAA when he obtained personal information about former girlfriends and other women that he wanted to date and used that information to send the women flowers or to show up at their homes. In that case, the defendant argued that he was not using the information as part of a criminal scheme for profit, as in US v. John. However, unlike the Ninth Circuit, the Eleventh Circuit found his intended use to be immaterial. "The problem with Rodriguez's argument is that his use of information is irrelevant if he obtained the information without authorization or as a result of exceeding authorized access."
Ripe for Review?
In Nosal, the Ninth Circuit explicitly rejected the path taken by the First, Fifth, Seventh, and Eleventh Circuits. "We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty . . . These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute's unitary definition of "exceeds authorized access."
The Fourth Circuit joined in rejecting those cases as well, and specifically the cessation-of-agency theory found in the Citrin case. "The deficiency of a rule that revokes authorization when an employee uses his access for a purpose contrary to the employer's interests is apparent: Such a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer's use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer's computer systems."
It appears difficult to reconcile these competing cases. Should the analysis focus on the intent of the employee, the level of access or the use? Is the cessation-of-agency theory a viable doctrine? As noted above, certiorari of WEC Carolina Energy Solutions LLC v. Miller was dismissed on January 2, 2013. However, it seems likely that such a deep divide among the Circuits is no doubt headed to the Supreme Court for clarification.