The Ninth Circuit’s 2012 decision in United States v. Nosal created a circuit split regarding the interpretation of the phrase “exceeds authorized access” in the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit (since joined by the Fourth Circuit) held that one “exceeds authorized access” to a computer by violating an access restriction (e.g., do not access File X), but not by violating a use restriction (e.g., do not use the computer for non-business purposes). This interpretation conflicts with the First, Fifth, Eighth, and Eleventh Circuits, which have held that use restrictions are within the scope of “exceeds authorized access.”
This post compares the Ninth Circuit’s access-only interpretation of the CFAA with the use-and-access interpretation, and suggests these two positions are not that different. This post then discusses the alternative, code-based interpretation and recent efforts to amend the CFAA.
As computers began to appear in American homes and businesses in the late 1970s and early 1980s, it quickly became apparent that existing criminal statutes were insufficient to address the harms that could be committed with these devices. Indeed, since courts frequently did not treat intangible material, like software, as property, computerized information was largely unprotected from crime. In recognition of this problem, in 1984, Congress passed the first federal statute directed at computer crime: the CFAA. While the CFAA was primarily an anti-hacking statute, it also addressed (or at least has been interpreted to address) a much broader range of activity, including violations of terms of service (ToS) agreements and computer-use policies.
The CFAA has undergone a series of broadening amendments since its enactment. It currently contains seven crimes, three of which punish any individual who “exceeds authorized access” to a computer and satisfies one or more additional elements. “[E]xceeds authorized access” is expressly defined in the CFAA as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The Circuit Split—Access v. Use Restrictions
A circuit court first held that an individual “exceeds authorized access” by violating a computer use restriction in 2001. In EF Cultural Travel v. Explorica, the First Circuit found that the defendant likely “exceed[ed] authorized access” by operating a scraper program that gleaned information from a former employer’s website and used that information in violation of a confidentiality agreement. In the decade that followed, three additional circuit courts found use restrictions were within the scope of “exceeds authorized access.” These courts held that employees “exceed[ed] authorized access” by violating restrictions against: using customer’s personal information to incur fraudulent credit card charges (Fifth Circuit), and using the social security administration database to get personal information on potential romantic partners (Eleventh Circuit) or President Obama’s student loan records (Eighth Circuit).
In United States v. Nosal, an en banc panel of the Ninth Circuit disagreed with these courts. The Nosal court held that one only “exceeds authorized access” by violating restrictions on access to computerized information. In this case, employees had permission to access every file on their employer’s computer database, but were only permitted to do so for legitimate company business. The employees obtained information from the database to operate a competing enterprise. The Ninth Circuit held that these employees did not “exceed[ their] authorized access” by violating the policy against using the database for non-company business. The Fourth Circuit has since adopted this interpretation and held that an employee who violates a company policy against downloading information to a personal computer and then uses that information on behalf of a competitor does not violate the CFAA. (The plaintiff in this case filed a petition for certiorari to the Supreme Court, but later dismissed the case.)
While the access-only position adopted by the Ninth and Fourth Circuits is narrower than the traditional, use-and-access position, it isn’t narrower by much. Indeed, multiple district courts have concluded that contracts can impose access restrictions, and therefore, that computer users can “exceed authorized access” by violating contractual provisions under either interpretation. Thus, even under the access-only interpretation, there is no principled reason why liability cannot be premised on the violation of a website’s ToS agreement, at least to the extent that the agreement imposes an access restriction. While a computer user can’t be prosecuted in the Ninth or Fourth Circuit for violating an online dating site’s rule against lying about one’s height (a use restriction), that user can presumably still be prosecuted for violating the site’s rule that no one under a certain height may enter (an access restriction).
Efforts to Amend the CFAA—The Code-Based Position
A growing number of individuals and organizations are advocating a position that goes beyond the access-only position. Orin Kerr, a George Washington University law professor, has long argued that the CFAA should only punish individuals who circumvent technological barriers. This code-based interpretation provides some clear policy benefits: it ensures the CFAA does not criminalize large amounts of everyday computer activity and it prevents liability from hinging on vague, private agreements. It is less clear, however, that Congress actually intended the CFAA to be this narrow. Indeed, this interpretation is questionable given that Congress used nontechnical language like “exceeds authorized access” in the CFAA but technical language like “circumvent a technological measure” in other statutes, such as the Digital Millennium Copyright Act. No court has adopted the code-based interpretation of the CFAA.
Nonetheless, the code-based approach has attracted the attention of members of the legislature. In June 2013, Representative Zoe Lofgren (D-CA) and Senator Ron Wydan (D-OR) introduced “Aaron’s Law”: a bill named for Aaron Swartz, the internet activist who committed suicide while facing up to 50 years in prison under the CFAA for downloading articles from an academic repository in violation of its ToS. Aaron’s Law would remove “exceeds authorized access” from the CFAA and introduce a definition of the remaining phrase, “access without authorization,” that requires “knowingly circumventing one or more technological or physical measures.”
Opposition to Aaron’s Law has come from organizations such as the Business Software Alliance (BSA), a software trade group composed of companies like Apple, Dell, and Microsoft. The BSA argues that the bill would require computer owners to invest in costly technological protection measures for their data. The BSA seems to have a valid point: Aaron’s Law leaves computer owners vulnerable to abuse of data by insiders.
In stark contrast to Aaron’s Law, in March 2013, the House Judiciary Committee circulated a draft proposal that largely strengthens the CFAA. The House draft would leave the definition of “exceeds authorized access” unchanged, and thus, do little to address the disagreement among circuits. What it would do is narrow the broadest provision of the CFAA, subsection (a)(2), by adding an additional element and clarifying that the subsection doesn’t encompass accidental violations of contractual restrictions. In contrast to the current version of the CFAA, however, it would make every violation of subsection (a)(2) a felony.
While none of the efforts to amend the CFAA has yet succeeded, the need for Congress to address the CFAA is hard to dispute. The CFAA, a law that applies to millions of Americans’ everyday computer activities, should have a uniform meaning throughout the country. And even if the Supreme Court resolves the circuit split, it is unlikely that the Court can determine how Congress, 30 years ago, wanted the CFAA to apply to technologies it could not have imagined. Congress needs to revisit the CFAA to clarify how computer crime should be punished. But whether that means the CFAA will eventually look more like Aaron’s Law or the House draft remains to be seen.