United States v. John and the Meaning of “Authorization” to Access a Computer

The federal computer crime statute criminalizes accessing a computer “without authorization” or “exceeding authorized access,” with the important caveat that no one seems to know what it mean to access a computer “without authorization” or to “exceed authorized access.” See 18 U.S.C. 1030. The concepts are particularly tricky in the case of a written restriction on computer access. If a computer owner gives you permission to access a computer for a particular purpose or in a particular way, and you access the computer in ways contrary to those express limitations, does that violation render the access unauthorized? This was the main issue in the Lori Drew case, involving the violation of MySpace’s Terms of Service: The Government’s theory in that case was that an Internet user who violates MySpace’s TOS was thereby accessing the computers without authorization. The District Judge tossed the charges on the ground that this theory would render the statute unconstitutionally vague.

Now consider the Fifth Circuit’s decision yesterday in United States v. John, authored by Judge Owen and joined by Judge Smith and Judge Haynes. John was an account manager at Citigroup who provided her half-brother with customer account information so he and his friends could run up fraudulent charges. In addition to charging John with credit card fraud and conspiracy — the obvious charges in such a case — the government also charged John with unauthorized access to Citigroup’s computers. The government’s theory was that by accessing Citigroup’s computers to further a fraud, in violation of Citigroup’s apparent policies that employees could access information only for work-related reasons, John had committed an unauthorized access. The jury convicted on all counts.

On appeal, John challenged her conviction for unauthorized access on the theory that she was authorized as an employee to access the computer, as recognized recently by the Ninth Circuit in LVRC Holdings v. Brekka. The government responded with the First Circuit’s contrary opinion in EF Cultural Travel BV v. Explorica, Inc., which indicated (albeit rather confusingly) that the scope of an employemnt agreement governs access. The Fifth Circuit seemed a bit skeptical of both the First Circuit and Ninth Circuit’s approaches, instead adopting a relatively narrow theory as to when access to a computer in violation of a use restriction renders access unauthorized:

The question before us is whether “authorized access” or “authorization” may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system. We conclude that it may, at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime.

To give but one example, an employer may “authorize” employees to utilize computers for any lawful purpose but not for unlawful purposes and only in furtherance of the employer’s business. An employee would “exceed[] authorized access” if he or she used that access to obtain or steal information as part of a criminal scheme.

. . . Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded. In other words, John’s access to Citigroup’s data was confined. She was not authorized to access that information for any and all purposes but for limited purposes.

In the present case, the Government demonstrated at trial that Citigroup’s official policy, which was reiterated in training programs that John attended, prohibited misuse of the company’s internal computer systems and confidential customer information. Despite being aware of these policies, John accessed account information for individuals whose accounts she did not manage, removed this highly sensitive and confidential information from Citigroup premises, and ultimately used this information to perpetrate fraud on Citigroup and its customers.

The opinion isn’t entirely clear, but I think I read the Fifth Circuit as saying that an express restriction on access to a computer is in fact binding at least if it prohibits acts that are criminal and the wrongdoer accesses the computer in furtherance of a criminal act. Or at least that’s the case when the restriction is a use restriction, to the extent there is a distinct category of use restrictions.

I’m not quite sure what I make of this opinion. First, I guess the goal in limiting the reasoning to furtherance of intentionally criminal acts was to be minimalist, but I find the meaning of the limitation sort of puzzling. I assume the standard is not supposed to be circular: That is, the intent to commit a crime is an intent to commit a crime other than unauthorized access. But if that’s so, then doesn’t it sort of turn the statute into the crime of using a computer to commit a crime? That would be ironic given that the prohibition on unauthorized access was originally designed to reject such an approach (see Senator Ribicoff’s 1977 proposed legislation that Congress never enacted, built on that standard). And isn’t it at least a little odd to use intent to commit a crime as important to authorization when that is also the test for the felony enhancement? It seems like triple-dipping: Intent to commit a crime triggers the misdemeanor, the felony, and the other substantive crime all at the same time.

Or perhaps the court is thinking that it wants to say that some written restrictions are recognizable under the unauthorized access statutes and others aren’t, and this is the first in what may be a case-by-case determination of which restrictions are recognized? Perhaps. I think you could build such a framework using vagueness doctrine: You could say that written restrictions are binding in circumstances when such a theory would not render the statute unconstitutionally vague, and then have a case-by-case determination of when such restrictions are permitted. You could have one set of rules for employees, for example, another for Internet use restrictions, etc. My forthcoming article on Vagueness Challenges to the Computer Fraud and Abuse Act suggests such a course. It will be interesting to see if John is eventually fit into such a framework.

More broadly, the Fifth Circuit’s lack of comfort with the analysis of both the First Circuit and the Ninth Circuit is pretty interesting. The facts of each of these cases are quite different, so at this point I see conceptual tension but not yet a formal circuit split. (The John case is also a bad vehicle because it’s a plain error case.) But I expect to see these issues leading to more disagreements among the circuits in coming years, leading to eventual Supreme Court review of just what makes computer use “without authorization” or “exceed authorized access.”