On Whose Authority? Authorized Access and Criminalized Computer Use under CFAA

It’s a close thing, when watching a crime drama, to see whether the makers of a show thoroughly misunderstand the law or the use of computers. The fantasy of the hacker furiously typing as code streams down a computer screen, and the fantasy of the lawyer defying the judge to give a rousing speech and sway the jury, are equally illusory mainstays of network TV. Occasionally, however, law and computer technology do produce real drama. On January 13th, 2013, a young man named Aaron Swartz faced a lawsuit from the United States. Swartz, a student from MIT, had been accused of downloading over 4,000,000 articles from the online database JSTOR. Swartz had, according to the United States, broken into a network closet at MIT and downloaded the majority of the JSTOR archives, which MIT had licensed, before sharing the millions of scholarly articles on various file-sharing websites. After his breach of the network was discovered, the United States filed suit. During the course of the litigation, after learning that he could face up to seven years in prison, Mr. Swartz committed suicide.

Though this is a dramatic example of information redistribution, many who are currently law students or young lawyers grew up committing, and continue to commit, routine criminal offenses on their computers. Anyone who ever downloaded a song over Napster or Limewire, who got a free version of Microsoft Office or Adobe Photoshop from a friend on a USB drive, or fought through hundreds of pop-up ads to watch a low-res version of a not-on-Netflix movie with a date has committed a crime. Commentators have often worried about statutes that criminalize large swaths of everyday behavior, creating a situation where most people receive no penalty while an arbitrary few face crushing consequences. One such statute under scrutiny is the Computer Fraud and Abuse Act, the statute under which Mr. Swartz was prosecuted.

The Split

The Computer Fraud and Abuse Act, ‘CFAA,’ is codified at 18 U.S.C. § 1030. The CFAA criminalizes certain acts by those who have “knowingly accessed a computer without authorization or exceeding authorized access.” The question is, what constitutes authorized access? Courts have split over the proper definition. The narrow view, held by the Ninth and Fourth Circuits, interprets “exceeding authorized access” as referring to only access restrictions on restricted data itself. The broader view, held by the First, Fifth, Seventh and Eleventh Circuits, interprets “exceeding authorized access” as referring to any use of the computer that was not authorized.

Typical of the narrow interpretation is the case U.S. v. Nosal (9th Cir. 2012). The defendant, David Nosal, was planning on leaving his contracting firm and starting a competing business. Along with associates, he obtained login credentials and downloaded source lists and other data from his employer, to use in founding his own company. Nosal summarises the split well:

This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed authorized access” if he looks at the customer lists. Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

After review, the Ninth Circuit upheld the reasoning of the district court, arguing both that the broad interpretation made redundant prior “without authorization,” clause of the statute, and that the federal statute too broadly criminalized computer use:

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

The broader view can be found in cases like U.S. v. Rodriguez (11th Cir. 2010), argued in the Eleventh Circuit. Rodriguez found that an employee in the Social Security Administration who authorized personal information in the database without a business reason had violated the CFAA, as “the policy of the Administration is that use of databases to obtain personal information is authorized only when done for business reasons… In the light of this record, the plain language of the Act forecloses any argument that Rodriguez did not exceed his authorized access.”

Looking Forward

Many tech commentators continue to worry that the CFAA as interpreted as broadly as it is in the Rodriguez case will, as the Ninth Circuit notes, criminalize even basic work slacking. Despite his win, the defendant Nosal found himself in court again for U.S. v. Nosal (9th Cir. 2016), or “Nosal II.” In this case, Mr. Nosal was found in violation of the CFAA, though the Ninth Circuit retained their narrow interpretation. Mr. Nosal appealed to the Supreme Court, and the case was denied certiorari. Until the Supreme Court clarifies the CFAA, courts will continue to disagree on how broadly the statute should be interpreted, and on whether the use of a work computer “without a business reason,” like sneaking some Netflix in during company time, should be a federal crime.