The federal computer crime statute criminalizes accessing a computer “without authorization” or “exceeding authorized access,” with the important caveat that no one seems to know what it mean to access a computer “without authorization” or to “exceed authorized access.” See 18 U.S.C. 1030. The concepts are particularly tricky in the case of a written restriction on computer access. If a computer owner gives you permission to access a computer for a particular purpose or in a particular way, and you access the computer in ways contrary to those express limitations, does that violation render the access unauthorized? This was the main issue in the Lori Drew case, involving the violation of MySpace’s Terms of Service: The Government’s theory in that case was that an Internet user who violates MySpace’s TOS was thereby accessing the computers without authorization. The District Judge tossed the charges on the ground that this theory would render the statute unconstitutionally vague.
Now consider the Fifth Circuit’s decision yesterday in United States v. John, authored by Judge Owen and joined by Judge Smith and Judge Haynes. John was an account manager at Citigroup who provided her half-brother with customer account information so he and his friends could run up fraudulent charges. In addition to charging John with credit card fraud and conspiracy — the obvious charges in such a case — the government also charged John with unauthorized access to Citigroup’s computers. The government’s theory was that by accessing Citigroup’s computers to further a fraud, in violation of Citigroup’s apparent policies that employees could access information only for work-related reasons, John had committed an unauthorized access. The jury convicted on all counts.
On appeal, John challenged her conviction for unauthorized access on the theory that she was authorized as an employee to access the computer, as recognized recently by the Ninth Circuit in LVRC Holdings v. Brekka. The government responded with the First Circuit’s contrary opinion in EF Cultural Travel BV v. Explorica, Inc., which indicated (albeit rather confusingly) that the scope of an employemnt agreement governs access. The Fifth Circuit seemed a bit skeptical of both the First Circuit and Ninth Circuit’s approaches, instead adopting a relatively narrow theory as to when access to a computer in violation of a use restriction renders access unauthorized:
The question before us is whether “authorized access” or “authorization” may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system. We conclude that it may, at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime.
To give but one example, an employer may “authorize” employees to utilize computers for any lawful purpose but not for unlawful purposes and only in furtherance of the employer’s business. An employee would “exceed[] authorized access” if he or she used that access to obtain or steal information as part of a criminal scheme.
. . . Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded. In other words, John’s access to Citigroup’s data was confined. She was not authorized to access that information for any and all purposes but for limited purposes.
In the present case, the Government demonstrated at trial that Citigroup’s official policy, which was reiterated in training programs that John attended, prohibited misuse of the company’s internal computer systems and confidential customer information. Despite being aware of these policies, John accessed account information for individuals whose accounts she did not manage, removed this highly sensitive and confidential information from Citigroup premises, and ultimately used this information to perpetrate fraud on Citigroup and its customers.
The opinion isn’t entirely clear, but I think I read the Fifth Circuit as saying that an express restriction on access to a computer is in fact binding at least if it prohibits acts that are criminal and the wrongdoer accesses the computer in furtherance of a criminal act. Or at least that’s the case when the restriction is a use restriction, to the extent there is a distinct category of use restrictions.
I’m not quite sure what I make of this opinion. First, I guess the goal in limiting the reasoning to furtherance of intentionally criminal acts was to be minimalist, but I find the meaning of the limitation sort of puzzling. I assume the standard is not supposed to be circular: That is, the intent to commit a crime is an intent to commit a crime other than unauthorized access. But if that’s so, then doesn’t it sort of turn the statute into the crime of using a computer to commit a crime? That would be ironic given that the prohibition on unauthorized access was originally designed to reject such an approach (see Senator Ribicoff’s 1977 proposed legislation that Congress never enacted, built on that standard). And isn’t it at least a little odd to use intent to commit a crime as important to authorization when that is also the test for the felony enhancement? It seems like triple-dipping: Intent to commit a crime triggers the misdemeanor, the felony, and the other substantive crime all at the same time.
Or perhaps the court is thinking that it wants to say that some written restrictions are recognizable under the unauthorized access statutes and others aren’t, and this is the first in what may be a case-by-case determination of which restrictions are recognized? Perhaps. I think you could build such a framework using vagueness doctrine: You could say that written restrictions are binding in circumstances when such a theory would not render the statute unconstitutionally vague, and then have a case-by-case determination of when such restrictions are permitted. You could have one set of rules for employees, for example, another for Internet use restrictions, etc. My forthcoming article on Vagueness Challenges to the Computer Fraud and Abuse Act suggests such a course. It will be interesting to see if John is eventually fit into such a framework.
More broadly, the Fifth Circuit’s lack of comfort with the analysis of both the First Circuit and the Ninth Circuit is pretty interesting. The facts of each of these cases are quite different, so at this point I see conceptual tension but not yet a formal circuit split. (The John case is also a bad vehicle because it’s a plain error case.) But I expect to see these issues leading to more disagreements among the circuits in coming years, leading to eventual Supreme Court review of just what makes computer use “without authorization” or “exceed authorized access.”
Chris Travers says:
Since the Drew case, I have been thinking about this and have come to a few tentative conclusions about how to have an definition of “authorization” which is somewhat broader than code-level controls but not vague either.
Consider for example the following scenario…..
Suppose I set up a small botnet which does a denial of service attack against a public-facing VPN server from a former employer. By forcing the server to repeatedly generate encryption keys, I can exhaust resources, preventing it from being able to serve its authorized users properly. In this case, I never request access which is behind code-based controls (rather I am sabotaging the server by turning its authentication routines against itself). The CFAA might be argued by folks like Prof. Kerr not to apply. Yet it seems to me the CFAA was designed to apply to cases like this. Certainly if the courts ruled that it wasn’t I am sure Congress would broaden the law to accommodate….
I can see two arguments where it might apply without such changes though. The first is under the same sort of approach here (and in Wu’s opinion in Lori Drew) which would suggest that malicious acts are unauthorized under definitions much broader than code-based access controls. In this theory, I knew the owner wouldn’t approve of me preventing road warriors from logging in. I acted maliciously. There is mens rea (or at least sceinter) and therefore it is unauthorized.
Secondly, if the owner of the server tracks me down and says “stop attacking my server or I’ll prosecute” that would seem to be affirmative evidence that due notice was provided that this was deemed unlawful and that continued attacks would clearly be beyond what’s “authorized.”
In the second case, if we imagine a web site’s terms of service which lists some terms as being subject to account termination and others as subject to prosecution, if those terms subject to prosecution are sufficiently clear (and devoid of vagueness problems themselves) and free of other problems (I don’t think “you are not authorized to criticize Prof. Kerr on this board” would be subject to prosecution because it is both vague, and causes first amendment problems when criminal sanctions are added) then I think the court would have to see breaches of them as being violations of law.
What do folks think?
February 11, 2010, 12:09 amOren__ says:
Thanks for pointing this out — you’ve put your finger directly on the conflict between the computer-sense of “authorized” (in which a particular user is authorized to take a particular set of actions) and the legal-sense in which someone is authorized to act within a particular purpose. Coming from the computer-side of things, my gut reaction would be to adopt the former definition — that unauthorized use only occurs when a user exceeds or circumvents an access control mechanism.
For instance this sentence seems to me entirely non sequitur (and I don’t mean this in a critical or dismissive fashion, please believe me) — what you have described is in no way a “restriction on access” since it, by its very terms does not turn on the access itself.
By way of analogy, one cannot reasonably call a law forbidding being the getaway driver from a bank robbery a “restriction on driving” (in a literal sense it is, but not in traditional understanding) because the restriction does not in any way turn on the driving itself. The restriction is on robbing banks, not driving cars.
Of course, I doubt this kind of a strict separation was what Congress intended but it won’t be the first time they have assigned a meaning to terms that is in plain conflict with existing understanding.
February 11, 2010, 12:14 amOren__ says:
In a technical sense, initiating a VPN session might be construed as effectively requesting access to the controlled resource — even if you drop the attempt before going through the auth procedure.
Given Congress’ intent (and specific rejection of my preferred formulation) and given that the law broadly recognizes that one can give someone access for a particular purpose and only for a particular purpose, I think they would.
Actually, the last thought gives me pause — let’s suppose that I lend my buddy my car for the purposes of going to the grocery store and getting milk. Instead, he goes to the hardware store and buys bolts. What is the position of the law with regards to this violation of our terms? I doubt that he is now a car thief, although I might be wrong…
February 11, 2010, 12:19 amChris Travers says:
I dunno. If you make your buddy sign a contract which says “any driving other than to the grocery store and back again will be considered theft of the car and will be prosecuted as such” I wonder if you would have a case. Of course if I was your buddy, I would say “no thanks, I’d rather walk.”
However, if you aren’t that clear, don’t have a contract, etc. I would think you would run into the same vagueness issues…..
February 11, 2010, 12:24 amSoronel Haetir says:
Rental though approaches this. I’ve seen articles where people complained that the GPS unit installed in a rental car told the company the renter left the proscribed area of service and massive penalties accrued. If instead of penalty fees the contract stipulated that leaving the area would terminate the contract and be reported as auto theft I don’t see that this would really raise any flags.
February 11, 2010, 12:59 ameyesay says:
Suppose a company has a written policy that specifically prohibits using company computers to access the law blog “The Volokh Conspiracy.” The company takes measures to assure that employees are aware of the policy. An employee, aware of the policy, accesses the prohibited website and is fired.
The company computer was used in an unauthorized way. Should the fired employee now be subject to criminal prosecution as well?
I think Orin Kerr is saying, among other things, that if it’s already a crime to steal account information and use it to defraud customers and a financial institution, it’s not really helpful to pile on an additional crime of obtaining that account information through unauthorized access. Is that right?
February 11, 2010, 1:18 amLior says:
I think the definition of “authorization” should entirely depend on the technical aspects of the access. Most multi-user software has a security model which can be described in terms of the “capabilities” associated with each user account. Then using any of the capabilities of the account should be considered authorized while defeating the access control mechanism to obtain new capabilities should be considered “unauthorized”.
The question is basically the following: assume that the security system is weak, so that user accounts are granted too many capabilities — but the users are instructed not to use the extra capabilities. Is using the extra capabilities a federal felony?
For a canonical example, consider the case of a sysadmin in a typical company. In order to run the system he is given the “root” password, effectively a user account with unlimited capabilities (this is near-universal; only the most paranoid installations restrict the capabilities of root users). The sysadmin also has permission to monitor network traffic — this is part of his job, after all. It is basically impossible for the sysadmin to exceed his authorization in the technical sense (that is, the authorizations of his user account). But it is easy for him to do things his employer would object to (reading private e-mails, changing pay records). I think the right thing to say is that the computer access was authorized — the human was assigned an account with the capabilities — but that other crimes were committed.
Another example is related to “deep linking”. Assume Prof. Kerr places a file at without advertizing its existence or linking to it from anywhere. Pointing my browser at the address and reading the file should be fine — I have accessed the web server at volokh.com according to the normal procedures and it returned the file. On the other hand, if the webserver is configured to ask for a password, then me brute-forcing the password should be criminal — I have changed the capabilities I was supposed to have.
Finally it is not alleged that Ms. John increased the capabilities of her account, but rather that she abused the capabilities that she was granted by her employer. Just because what she did was wrong doesn’t mean that all tangentially relevant criminal laws make her specific act criminal.
February 11, 2010, 4:17 ampublic_defender says:
Ahhhh. A former AUSA realizing that the federal criminal code is grossly overly broad. I love it.
I think the words are clear, it’s just the breadth of the plain words that’s stupefying. If your employer says “no personal use” and you look up a sports score, you have committed a federal crime.
It’s typical for federal criminal statute. Breathing is a crime, subject to a reduction at the discretion of the prosecutor.
February 11, 2010, 6:00 amShelbyC says:
It seems pretty clear that congress intended “authorized” in the technical sense. Did they intend to criminalize an employee with access to a computer for work-related purposes checking football scores? How about a parent who tells their kid, no computer for a week, and the kid uses the computer anyway. I work on systems that control industrial equipment. Sometimes the operators of that equipment access those computers and surf the net. Is that a federal crime?
February 11, 2010, 8:34 amJohnKT says:
So far as I know, “accessing a computer” was not meant in a technical sense. The point came up in a hearing on the original Ribicoff bill, 1979 I think. The example then was the programmer who used the company computer to make a Snoopy calendar. In those days, Snoopy and Woodstock were popular with programmers. Many workspaces were decorated with Snoopy and Woodstock calendars. Ribicoff addressed the point. He said that it would be prosecutable under his bill. Basically, the programmer should not be using the machine for play, and if he got caught up in the law, too bad (I’m summarizing from memory).
In other testimony, a security guy asked sarcastically what “approach a computer” could possibly mean. I remember his phrase “on bended knee?”
The gist of the proponents comments during these hearings was that the bill should be as broad as possible to allow the DoJ flexibility, and that we could trust to the prosecutor’s good sense.
As to whether surfing the net at work is a federal crime, I’m pretty much out of date because the original bill that I studied has been changed a lot, but for the worse I gather. Under the original bill, yes it was a Federal crime if anybody cared to prosecute it.
February 11, 2010, 9:03 amRicardo says:
But that would depend on the text of the auto theft statute, wouldn’t it? I’m not a lawyer but theft generally implies depriving someone of the use of their property, not making unauthorized use of someone’s property, doesn’t it?
Otherwise, a woman could demand that her boyfriend be prosecuted for auto theft since, instead of driving to the supermarket to pick up a gallon of milk like he said, he instead drove off with her car to see his ex (or visit an adult bookstore, or whatever). That doesn’t sound quite right to me.
February 11, 2010, 9:25 amMalvolio says:
I would really raise a red flag with me. Basically, it allows an adhesion contract to be enforced by criminal law.
Take the most ridiculous case, say a sign in a restaurant that says, “Smoking in this restaurant will be prosecuted as attempted murder.” Hey, you deliberately ate at the restaurant, you consented to the contract. Silly, I admit, but really any sillier than saying, “Using your MySpace account to harass your neighbor will be treated as trespassing”?
Admittedly, there is some gray area on the other side. If you rent a car and then instead of returning it, sell it for parts, have you committed GTA? My intuition is yes, you have, even though you were contractually permitted to drive the vehicle.
February 11, 2010, 9:37 amDavid Schwartz says:
That wouldn’t work. Only the legislature can define the elements of auto theft. Private individuals can’t define crimes to their liking.
This comes up in a lot of areas, this is just one. Another is when people claim that by violating a license, you’ve violated copyright law. (And therefore they’re entitled to statutory damages, a presumption of irreparable harm, and so on.)
Sorry, no, it’s not car theft without the elements of car theft. That includes, among other things, an intent to permanently deprive the owner of the car.
FWIW, I think Congress should go back to the drawing board on CFAA and tell us what it really wanted to make a crime, because we can’t tell.
February 11, 2010, 9:41 amCarl Donath says:
That amounts to legal “harassment”: engaging someone in lawful communications, but to a degree or pattern which deliberately causes the recipient emotional distress or financial loss. Ex.: I can legally call you without your prior consent, but if I call you every minute indefinitely while breathing heavily you can press “harassment” charges. Likewise this VPN/DoS scenario: issuing a connection request is legally fine, but not if deliberately done in a way demonstrably contrary to normal/reasonable usage with an intent of causing the system owners harm.
February 11, 2010, 10:09 amAaron Nielson says:
I’m not sure it is accurate to say that Judge Smith “joined” the opinion. He dissented, albeit focusing on different grounds (that there was no plain error at sentencing), and so technically did not join any portion of the opinion. He presumably agrees with the outcome of the panel’s analysis here, but that doesn’t mean he joins the specific reasoning. He could have just concluded that there was no 5th Circuit law on this specific question, and so any error was not plain. See US v. Jackson, 549 F.3d 963 (5th Cir. 2008) (Smith, J.) (“Under plain error, if a defendant’s theory requires the extension of precedent, any potential error could not have been plain. … Because this is a question of first impression and the law was not obvious at the time of trial, any error was not plain.”). Judge Smith gets opinions out quickly and is unlikely to spend time on a back and forth on an issue when he agrees that there is no plain error, even if he disagrees as to the exact reason (Judge Smith rarely writes separately, and certainly does not write about every specific issue he disagrees with). Finally, if he announced he was dissenting at conference, then he may have had no consulting role in the drafting of the opinion at all.
February 11, 2010, 10:31 amSeaDrive says:
IANAL, but first, and somewhat off topic, I think that in the case cited, any charges relating to unauthorized use of the computer ought to be a lesser included offense, and not really worth the court’s time to discuss. If it’s not for any reason, then it’s an example of the modern practice of tacking on charges ad infinitum.
Second, and more the point, the line between authorized and unauthorized can get very blurry in the computer world. Suppose, for example, I’m a computer programmer and I’m given a task that requires access to the tables including employee salary data. It’s understood, usually tacitly, that I’m not supposed to look up how much everyone makes, and it’s especially understood that I’m not to tell anyone how much everyone makes. If I’m tasked to create reports, or I have to step though procedures to find a bug, I’m going to see SOMEONE’s info. What limitations, if any, apply to my choice of what data to look at? Given my explicit authorization to access the data in question, is it actually illegal for me to look up my boss’s salary?
February 11, 2010, 10:35 amSoronel Haetir says:
I’ve actually been in that position. The solution was to have someone from accounting who would normally see the figures make up fake data for me to work on.
February 11, 2010, 11:07 amCassandra says:
My local senior center here in Austin offers WiFi and two computers for the seniors to use. They told me I couldn’t use them to access pornography, giving me a brochure that explicitly limits city employee computer behavior.
I have argued:
1. The rules pertain only to employees of the city.
2. Pornography is legal, especially for seniors.
3. The computer is mine–just connected to their WiFi.
Are they going to send an old lady to federal prison for looking at pictures of Michelangelo’s David? What if I use their WiFi from the sidewalk out front?
February 11, 2010, 11:10 amNick42 says:
Generally I like Prof Kerr’s idea that in order for there to be unauthorized access, you must bypass a code based control. I think it’s best theory for what constitutes unauthorized access I’ve seen. I think it’s main shortcoming it is too narrow in some cases, such as the one you described. A vulnerability is by definition a flaw in the design or execution ( code ) of a computer program. If I computer was not mistakenly programed in such a way to allow a control to be bypassed, it would not be possible to do so. In the case where a control was set up, but due to a flaw (vulnerability) an attacker bypasses it, that’s a clear case of unauthorized activity.
The problem arises when the programmer completely forgets to implement a control. For example, there are lots of poorly programmed web apps that do not restrict access to admin pages. If you know the location of the page you can visit it and control the application. There is no code based control that would prevent you from doing so. In some cases someone might innocently and inadvertently stumble upon such a page. It may not even be apparent that the admin page is something that a normal user shouldn’t access.
OTOH, there are attackers who run scanners looking for unprotected admin pages. Their intent is probably malicious and I think there’s a good argument their conduct should be criminalized. But all they are doing is requesting a page from a web server and noting if they get a successful response or a 404.
I think in the end, we may need to treat unauthorized computer access similar to physical trespass. We’ve had hundreds of years to come up with shared notions of what is and isn’t trespass. Generally, bypassing a physical control (picking a lock, jumping a fence, having someone leave the backdoor unlocked) is considered trespass. But some actions (hiding in the backyard of a private home) could be considered trespass, even though no physical control was bypassed. I could see similar system where bypassing a code based control would definitely be unauthorized access, and in some conduct (DoS, etc) could also be considered unauthorized access. IANAL, so I don’t know how much of this would have to be spelled out before vagueness issues come into play.
One of these days I would like to take the time to go down a list of common attack types and determine if they would be considered unauthorized under Prof Kerr’s (and possibly other) standard.
February 11, 2010, 11:23 amDavid Schwartz says:
Nick42: I agree with you. If Congress does go back to the drawing board on CFAA, your comments are precisely where they should start.
February 11, 2010, 11:57 amPintler says:
That’s OK for a developer (as long as you can recreate failures using the test data). If you’re a sysadmin trying to find out why the backup is abending, or fix a corrupted email inbox, you are going to be looking at the actual private data. Another example would be when it appears that an account appears to be engaged in hacking – we look through that account’s data in great detail.
For a real world analogy, your house is private, but it’s contents may be viewed by strangers when you call the plumber (ask to have your corrupt inbox fixed) or by firemen when a passerby notices smoke while you are gone (your account is engaging in hacking).
February 11, 2010, 12:13 pmBored Lawyer says:
Consider a common fact pattern: Employee is granted access to Employer’s computer system for the purpose of his work. Employer tolerates a low-level of personal use, but officially the computers are to be used only in furtherance of Employer’s business.
Employee then decides he is going into competition with Employer (either he is going to set up his own shop or work for his competitor). Before he leaves, and before he tells Employer about his plans to leave and compete, he accesses the computer system and downloads valuable trade secrets (a customer list, a secret formula, etc.)
If employee tries to use the info. in competition with Employer, there is no doubt he has committed several civil wrongs — he has breached his duty of loyalty and has misappropriated trade secrets.
Has he violated the CFAA?
On the civil side where I practice, this is an important question not because of criminal liability, but because the civil claims under the CFAA open the door to federal court, where Employer usually wants to be. (You then throw in the common law claims as pendent claims.)
Courts are divided on whether you can rely on the CFAA for this situation. (There are other side issues — whether the damages suffered are the type which the civil provisions are meant to cover.)
In any event, I think it is clear that the access here is unauthorized. It’s one thing to check the sports scores. It’s quite another to download the customer list to set up a competing business. As a factual matter, it seems clear to me that the employer did not intend to allow access for that purpose — not to mention that it is proscribed by other laws.
February 11, 2010, 12:28 pmBruce Boyden says:
I’m coming to the conclusion that the problem here is in trying to read substantive restrictions into 1030. The question should be whether the actual access to the information was authorized, not its subsequent use. So agreements that say that “you have access to information X on computer N only for purposes Y and Z” would trigger 1030 if the person accesses information not-X, or computer not-N, but not if the person accesses information X on computer N but uses it for purpose W. That’s breach of contract and theft of trade secrets or what have you, but not computer trespass. I think the problem for courts is that it’s bad, and it becomes difficult for judges to say it’s bad under other laws or norms but not the vaguely worded 1030.
February 11, 2010, 12:29 pmBored Lawyer says:
I was thinking the same thing, except that isn’t physical trespass also governed to some extent by what the owner does and does not allow?
Suppose the owner of the store puts up a sign: You are welcome to enter the store to shop, but not for other purposes.
If someone enters to, say, distribute political literature, isn’t that trespass?
(Put aside the cases that create a right of access to certain private areas, like shopping malls, for speech purposes.)
February 11, 2010, 12:32 pmNick42 says:
Bored Lawyer:
I disagree completely. That kind of agency or contract theory of unauthorized access is a bad idea. By that reasoning, what’s to prevent criminal liability for reading the volokh conspiracy from your work computer? Is it really just the indulgence of my employer that prevents posting this comment from my work computer from being a crime?
That way of using the CFAA criminalizes conduct that would be legal but for the use of a computer. If an employee has access to trade secrets on paper and misuses them in the exact same manor, accessing / copying the documents isn’t illegal; so why would should doing the same via computer be an criminal?
IMHO, it’s already way to easy for employers to railroad employees on hacking charges. Randal Schwartz’s and David Ritz’s cases are good examples. Schwartz was convicted under a state law for exercising what many would call due care of a machine under his control as a SysAdmin. Ritz was fined $50k for a civil violation of the CFAA – for issuing a DNS query. It seems that it’s just too easy to convince (what I assume are) technologically unsophisticated judges and/or juries that the geek did something scary with computers and must be punished.
February 11, 2010, 12:53 pmNick42 says:
IANAL, but in those cases, don’t you have to be told to cease your disallowed conduct and/or to leave before it becomes trespass? For example, if a mall puts up a sign disallowing chewing gum, and I chew gum there that’s not an instant trespass, is it? I’m under the impression it wouldn’t be trespass till a mall cop tells me to spit it out or leave.
I think this is where the analogy hits some snags. In most cases there isn’t an easy way to interdict behavior you don’t want on a web site. If a commenter was banned and ip blocked, then used other IPs to continue making comments that might count. I think there was also a case involving the CFAA, where company A screen scrapped company B’s website despite the TOS *and* being sent a cease and desist letter. These kinds of corner cases appear rather different than most types of classical hacking. Maybe the best solution would be to adopt a strong CFAA type law that prohibits hacking attacks (maybe closer to breaking & entering) and a weaker law that prohibits these kinds of unappreciated uses (closer to normal trespass).
February 11, 2010, 1:12 pmDavid Schwartz says:
Allowing private individuals to make violation of some classes of contracts a crime is a hugely bad idea. The problem is that such contracts are frequently way to vague to fairly sustain criminal liability for their violation. Plus, this gums up the works by making efficient breach impossible.
Suppose my employer prohibits me from doing X with a computer because under normal circumstances there should be no reason I need to do that. But my employer is in serious trouble, and out of loyalty to the employer and with no time to obtain approval, I nevertheless do X and save them a huge amount of money, maybe even save them from going out of business. Should that be a crime just because a computer was involved? Seriously?!
February 11, 2010, 1:52 pmChris Travers says:
Provided the contract area was well enough defined. However a number of questions occur to me.,
1) If the contract violation was minor in that area (say, driving around Lake Tahoe when the contract said only in California), would it be something that would only be actionable as breach of contract and not as theft?
2) What if the departure was inadvertent and corrected in a timely fashion (accidently crossing the state line on a freeway and turning around at next opportunity)? Could one be guilty of accidently stealing a car?
I am drawing a parallel here to questions of when copyright license violations become outright copyright infringement. My own thinking is that an honest mistake shouldn’t move an issue from a license violation to a criminal matter, nor should a minor violation.
February 11, 2010, 1:56 pmBored Lawyer says:
That is inherent in the kind of statute CFAA is — one that protects property interests (trespass being the closesg analogy.) Property owners have an absolute right to decide who does or does not get to use their property. If I trespass despite the property owner’s express wishes, then I have committed the crime of trespass.
The CFAA incorporates that idea when it criminalizes only “unauthorized” access. The working assumption is that the computer owner will, in fact, “authorize” some people and not authorize other. Only the latter are subject to the criminal sanctions.
Same is true for many property crimes. If I let you borrow my lawn mower, you are merely a bailee. If you take it without permission, you are a thief.
The problem, of course, is that the owner can make the issue of who it will or will not authorize to have access be rather complicated. An easy case is where the owner says, “My employees are authorized, everyone else is not.” A harder case is where the owner says, “anyone among the public is authorized, but only under certain conditions or for certain purposes.”
To some extent, the vagueness doctrine of the Due Process Clause blunts this — it has to be clear that you are unauthorized, otherwise you cannot be subject to criminal sanctions. But there are still many cases — the disloyal employee stealing a customer list — where there is no vagueness involved. Assuming it was made clear to the person beforhand that, under the circumstances, his access was unauthorized, why is there a problem?
First of all, such copying would indeed be illegal. It is at least a civil wrong. In some jurisdictions, theft of trade secrets is criminal. (Is there such a thing as criminal trespass to chattels?)
Second, so what? The statute, by definition, is to protect integrity of computer systems. Why does the fact that it does not protect the integrity of paper files make it unfair?
Why isn’t that trespass? I don’t see why you have to be warned first. The sign is the warning.
(The chewing gum case is a bit off, since the person may well have come there to shop.
Change the case: Store puts up sign: “We permit entrance only to employees and those who are here to shop our premises. Solicitation of any kind not allowed.”
If you enter and start passing out literature, I would think you are a trespasser.
Broad laws like this usually have a wide sentencing range to encompass the different shades of wrongdoing. A trespasser who simply comes onto property and sits there for five minutes but causes no harm is not going to be punished the same as someone who entered and trashed the place.
February 11, 2010, 1:57 pmChris Travers says:
One note is that in security critical environments (vpn’s, secure web servers, etc) typically you have to deal with tradeoffs of vulnerabilities. For example, if you require authentication before establishing an encrypted channel, then you open up really major problems in the design of the software. On the other hand, if you require the encryption before authentication, then you open up denial of service problems. In general, you get more security in the latter.
I wonder if Prof. Kerr thinks denial of service attacks are entirely outside the scope of the definition of “unauthorized access” if they occur prior to authentication.
February 11, 2010, 2:28 pmChris Travers says:
Not at all. The sign says that I am not welcome, not that I am trespassing.
February 11, 2010, 2:31 pmOren says:
He probably shouldn’t. Whether or not Congress intended for this result is another matter entirely.
But the human was assigned an account with those capabilities for a very specific set of purposes and was not authorized to use those capabilities in excess of that purpose. It seems that Congress intended that precisely this case would be covered.
Moreover, your interpretation arbitrarily restricts the scope of contractual agreement to what can be technically enforced. You might as well say that when you loan someone your car, he can do with it as he pleases because you did not install a mechanical restriction preventing him from committing the unauthorized act (e.g. hardware store/grocery store/driving to Mexico).
The question of what “default authorization” exists in the absence of a TOS is separate from the instant case — here we have an explicit agreement to particular terms.
If there was a volokh.com TOS and you agreed not to access the files except through a particular interface, that would be more like this case.
On the other hand, just because she violated some other law does not mean that she also used the computer system in excess of the authorization.
February 11, 2010, 2:39 pmChris Travers says:
One more point here. What about the “confused deputy” problem?
For example, the Great Worm of 1988 didn’t bypass any authentication controls. Old versions of Sendmail would happily do whatever you told them to without any controls. So the worm would send itself to a Sendmail installation and then ask Sendmail to kindly compile and run it…..
Now, let’s look at a new type of code vulnerability: XSRF. Who exactly “accesses” a computer via an XSRF attack? Indeed the person accessing the computer, and the person bypassing the computer in such an attack are not only different people but not even cooperating!
February 11, 2010, 2:46 pmOrin Kerr says:
Chris Travers,
You mind mind this interesting, if you haven’t read it already.
February 11, 2010, 3:03 pmChris Travers says:
Orin:
Read it some time ago. It is an excellent paper.
The only thing I am struggling with is that “circumventing a code-based access control” does not necessarily mean “accessing a computer” and is also too narrow to cover certain types of technical attacks against authorization in a web-based environment.
For example, suppose you are logged into your company’s web-based accounting software. I send you a web mail with an IMG tag embedded in it to your web mail account. When you go to load the message, it causes your browser to make a request to your company’s software.
Two things:
1) I haven’t “accessed” any computer other than an email server, and probably not in an unauthorized way under any definition.
2) I have bypassed authorization in your accounting software by convincing your web browser to access the software and forward on instructions.
Reviewing your article it seems that XSS/XSRF/Clickjacking/DOS attacks would be outside the CFAA. Is this right? Would that make them instead properly tried as wire fraud and honest services fraud?
February 11, 2010, 3:24 pmOren says:
Why do people think that contracts of adhesion are not legally binding? In all 50 States they have full force of law.
Yes, but the legislature didn’t consent.
Here we are specifically trying to come to grips with what the legislature intended in this vague string of words from the English language that they call a statute.
February 11, 2010, 3:35 pmOren says:
I think that’s an unjustifiably technical parsing of your actions. You caused (via suitable trickery) a command to be executed on the accounting side of things.
It’s somewhat like a disgruntled train employee that rewires the tracks but claims innocence of murder because all he did was send electrical impulses down a control wire. The law is capable of reaching forward to criminalize the actual (not to mention intentional) effect of your action even if it doesn’t directly apply to the means by which it is done.
February 11, 2010, 3:48 pmChris Travers says:
Usually they don’t define the parameters of criminal law though. I personally think that contracts, where they move into areas with some backing of criminal law (copyright and patent licenses for example), should be seen as having penumbras within which any contractual violation is only a contractual and not a criminal matter.
Secondly adherence contracts are binding, but are generally subject to more scrutiny than fully negotiated contracts.
February 11, 2010, 3:56 pmChris Travers says:
There is a difference between negligently or intentionally causing a death and knowingly accessing a system in excess of authorization.
The question is whether this definition includes these sorts of attacks. Requiring “access” to be defined as even an exchange of electrical signals seems to preclude relayed attacks (XSS and friends) from being subject to that definition. Requiring the circumvention of a code-based control would seem to preclude denial of service (esp. DDoS attacks which don’t necessarily even attack a given peice of software specifically).
My point in raising this is that a very narrow definition of unauthorized access might not even include all technological attacks against given pieces of software. This is why I favor a slightly broader definition including, at a minimum, continued access to a system after clear and unambiguous communication that such actions were seen as sufficiently unauthorized to be subject to prosecution.
(Note that this leads me to a place very close to what Judge Wu eventually decided.)
(Also note: There is a difference between “Get out of my house” and “If you don’t get out of my house, I’m calling the police.” The latter is clear and unambiguous in a sense that the former is not. Terms of service are not sufficiently unambiguous to define unauthorized access, and are not sufficiently clearly explained to the end user either.)
February 11, 2010, 4:04 pmSoronel Haetir says:
At least in terms of my rental car example the proscribed area often is in fact negotiable. And generally the larger the area you wish to be able to operate the vehicle without penalty the more expensive the rental will be.
February 11, 2010, 4:13 pmChris Travers says:
Ok, assuming a state has a law defining auto theft broadly enough to count in this case, I still think honest errors would have to be exempt and only be actionable under breech of contract. If for example, you rent a car only to be used in one state and get lost, cross state lines, turn around promptly, and return, that shouldn’t be auto theft even in such a hypothetical state. Similarly if you only, say, drive a couple miles into the other state for a day and return, that should similarly only be a matter of contractual law.
I don’t think it is reasonable that an inadvertent or minor contractual violations could become serious felonies quite quickly.
February 11, 2010, 5:13 pmChris Travers says:
One other minor thing that occurs to me.
Authorization is not necessarily technical. If I consent to allow you to pen test my systems, any access within the scope of what is agreed upon is authorized even though I may be paying you specifically to try to circumvent code-based controls. Certainly such conduct is authorized and outside the control of the statute regardless of any possible affirmative defence of consent.
February 11, 2010, 5:24 pmJMA says:
“I’ve actually been in that position. The solution was to have someone from accounting who would normally see the figures make up fake data for me to work on.”
Although it may be important to consider that what passes for “fake” data, in many cases, is surprisingly (or frighteningly) accurate. The fake data I work with is only “fake” in that it isn’t part of the production database. Simply generating similar-but-not data is practicable in small amounts, I figure, but I’m not sure such a practice can scale in a meaningful way for testing purposes. For instance, data generated for testing purposes may actually _work,_ unlike production data. :)
February 11, 2010, 6:05 pmChris Travers says:
Agreed.
To have proper test data it needs to be:
1) Approximately the same volume as production data
2) Approximately the same distribution of values as production data
3) Containing all the same sorts of data entry errors as production data.
If you don’t have this, you have no way of knowing via the test cases:
1) Does the production data have corner cases not handled in your code?
2) Will your database queries perform adequately in real life? (Statistical planners base query plans on data value distribution statistics among other things)
In essence, fake data works really well for ensuring certain kinds of tests work properly. However, it doesn’t work as a complete substitute for real data. The real test data almost needs to be a superset of the production data.
February 11, 2010, 7:00 pmAlan O. says:
In many states a person who enters a business with the intent to commit a theft can be charged with burglary – on the theory that their intent when they entered was contrary to the permission given by the shopkeeper for customers to be present. This strikes me as a pretty good analogy to the computer access by an insider for the purposes of committing a crime.
February 11, 2010, 8:39 pmSeaDrive says:
A real world error is as likely to be caused by bad data as bad code. Sometimes, someone has to look at the real data.
The IT department is not unique for having to confront these issues. Parallel circumstances can be set up in HR, Finance, or wherever.
February 11, 2010, 9:00 pmreadery says:
This is not a minimalist view. It criminalizes de minimis personal use — emailing ones spouse, looking up the weather or the score of last night’s football game, etc. It turns virtually everyone into a criminal.
I think a construction which addresses the facts of this case could be arrived at; in this case, the employee accessed the computer specifically to steal from the employer and the employer’s customers. Accessing with intent to harm the employer or commit a crime is a very different thing from accessing for de minimis, non-harmful personal use.
This statute, as interpreted by the 5th Circuit, would make people think long and hard about the legal risks of working 12-hour days for their employer or working through meals. Better to go out to lunch and go home before dinner and remain a law-abiding citizen, than to work through mealtimes or evenings for ones employer — and risk being convicted of a crime for unauthorized access to a computer to order a pizza or attend to a small amount of personal business one can’t get to ones home computer to deal with.
February 11, 2010, 10:01 pmOren says:
It’s not the violation of the contract that is made criminal, it’s whatever continuing action you take after that point that can be criminal. If your rental car agreement says you have to return the car on the 13th and you do not, you are now a car thief not because you violated the contract but because you no longer have a legal right to possess the car.
And a provision of a rental contract indicating that you may not take the vehicle outside some geographical area, where the penalty is immediate revocation of your right to possess the vehicle seems to me conscionable by a mile.
Sure, one is one and the other is the other, my illustration was contra trying to hide behind XSS exploits as being relevant to the question.
Only for the hyper-literal.
So far we agree.
Which terms of service in specific did you have in mind? Some are ambiguous, others are specific to the point of textual hemorrhage.
Also, unless I am mistaken (and it happens often) contracting parties are under no obligation to “clearly explain” the meaning of a contract provided that both parties have full access to the text itself.
Any particular reason, other than that you prefer it this way?
If the contract provides that a particular breach automatically triggers instant revocation then I don’t see how either party can unilaterally decide otherwise. Perhaps one should not enter into such a silly contract but if you do, you ought to abide by the terms.
Depends on how the contract is drawn up. If you don’t want to be liable for auto-theft for making such an error, negotiate with the rental car company for a $100 fine instead of automatic revocation.
February 12, 2010, 12:18 amOren says:
It does no such thing. Now, it certainly does criminalize emailing one’s spouse after being duly informed (and agreeing) that one is not authorized to do so, but that’s an entirely different matter.
Or maybe it will press employers to provide for more reasonable access policies that delineate more clearly what is forbidden and what is allowed.
Ultimately, I place most of the blame with the employer that has a set draconian rules that they don’t even want. It is not the State’s responsibility to “fix up” your silly company policies by monkeying around with the law to figure out what you “really mean”.
February 12, 2010, 12:27 amChris Travers says:
I think you are missing my point though.
I do a lot of work on reports on smallish databases (1-10 million rows in largest table) with years worth of financial data in them (often sensitive data).
You can make sure a given report “works” for certain values of “works” without real data, but you can’t go too far there. One thing you can’t do on such a db is know that everything is set up so that the report will perform adequately. This is because the better RDBMS’s out there use methods of planning the queries which look at actual data statistics to determine what the fastest types of joins and scans are (for example a nested loop join with a bitmap scan vs a hash join with an index scan, or even a nested loop join with an sequential scan).
if you don’t have real-world data AND have up to date planner statistics for it, you simply can’t know whether the query will run fast or slow.
I have seen real world data even in OLTP environments mean the difference between tests passing and showing no problems and tests hanging (in one case due to cache misses)…..
Sure these are coding and/or database design issues, but the issue is only brought out with the data.
February 12, 2010, 12:57 amChris Travers says:
So if the contract says you have to have the car back by 5pm on the 13th, and you have the car back at 5:15pm, is that a contractual problem or a criminal problem? (Assuming a hypothetical state which would make unauthorized borrowing with intent to return the car to be auto theft.) Maybe you got lost on your way to return it? After all you could be in a strange city. Is it up to the front desk employee to determine whether or not to call the cops when you return the car fifteen minutes or even two hours?
Let’s look at another related issue.
You write a book and give me a license to print 50 copies for promotional purposes, for which I pay you $50.
If I print 60 copies perhaps because my employee misread my request is that a contract issue or a copyright infringement issue? (Clearly if I print 5000 copies, that would be copyright infringement, but assuming I only exceed the contract by a modest percentage.)
If you say I can print the copies to sell on Monday, Wednesday, and Friday, and I sell 3 copies on Thursday is that copyright infringement or breach of contract?
If I interpret the license to allow me to do something you didn’t intend and a court sides with you after the fact, is this a contractual issue or a copyright infringement issue?
I personally think that the license should be read to preclude suing over copyright infringement for either violations which are either sufficiently minor as to have sufficient remedy in contract law, or which are grounded in a reasonable reading of the contract from the licensee’s perspective.
February 12, 2010, 1:11 amChris Travers says:
“Honey, we accidently crossed the state line, voiding our contract. I guess we better abandon the car by the side of the freeway rather than proceed to the nearest turnaround point so we are not guilty of auto theft. You wait here with the kids, I will hitch-hike back to the nearest town to make other arrangements…”
Or worse, (regarding time-based termination):
“This doesn’t look like a good neighborhood but there’s a bus stop up ahead. Our contract is about to expire. We’ll call them and let them know we are abandoning the car around here and take the bus. My cell phone isn’t working so that will have to wait until tomorrow. Good thing we are not responsible for the car in this neighborhood since we have no legal right to be in possession of it….”
One of Judge Wu’s points that I thought was right on the mark was that a lot of the MySpace terms of service were there for reasons other than prosecuting those who stepped outside. Because the terms of service didn’t specify exactly which violations of the terms of service could lead to prosecution under the CFAA, the terms of service were too vague to define the contours of authorized use.
Google’s terms of service (you have to hunt for them) prohibit minors from using their search engine. Are minors who run a google search engaging in criminal activity even if informed of the terms of service? Does Google really intend for this to be unauthorized?
I can see a ToS being able to define a scope of authorization, but it would seem to me that:
1) the applicable terms would have to spell out prosecution as a consequence of violation.
Or abandon the car when the contract is revoked! Even if such a contract could lead one to criminal charges it would be profoundly unwise for everyone….
Personally though I think Judge Wu’s test is better regarding the CFAA. If the terms are sufficiently clear AND specifically list prosecution under the CFAA as a consequence then maybe misdemeanor prosecutions might be possible. He also seems to allow for more leeway on felony prosecutions where another crime is being convicted (on this I have more mixed feelings).
For employees, this ought to mean that unless the emplyee handbook has the magic words (prosecution under the CFAA), such prosecution shouldn’t be possible.
February 12, 2010, 1:23 amTom T. says:
…doesn’t it sort of turn the statute into the crime of using a computer to commit a crime?
Isn’t this consistent with mail and wire fraud?
February 12, 2010, 7:07 amSeaDrive says:
FWIW, today’s (2/12/2010) post on cyb3rcrim3 titled “Wi-Fi Privacy” discusses a case that began with inadvertent unauthorized access to a home computer network.
February 12, 2010, 9:47 amOren says:
That’s a matter between you and the company — they certainly are not required to call the cops immediately just because the contract gives them the authority to do so. Contractual rights are always to be exercised prudentially by the parties — if they are incapable of that I suggest you take your business elsewhere.
A contract that says 5:00PM doesn’t mean 5:15PM or 7:00PM. The contract meant what it says and says what it meant (apologies to Dr. Seuss, of course).
By the way, I see no reason that the car company cannot have the following contract:
Now, that’s a quite reasonable contract, but it doesn’t mean that from the legal point of view we should automatically convert every other similar contract into this one.
And I personally think that the license says what it means and means what it says. If the parties want to add a provision for good-faith error, they can do so. In fact, given your position here, you should insist on those provisions.
What I don’t see is why such good-faith provisions ought to be mandatory in every contract, even ones to which you are not a party.
Or write into your contract a more reasonable termination provisions!
What you are essentially saying is that you don’t like the terms of the contract and thus you feel the right to unilaterally change them. That’s just not how it works.
Of course, I wouldn’t sign a contract where failure to return exactly on time revokes the whole thing (instead of assessing a monetary penalty) — that’s nuts. But if that’s what it requires then that’s what it requires. Don’t sign an agreement you can’t live with.
February 12, 2010, 1:21 pmOren says:
MySpace does not have the authority to change Congress’ language. If Congress wants to criminalize it and MySpace’s opinion on the matter makes zero difference (of course, they can change their agreement however they want, they just can’t change the straightforward application of the statute).
Congress criminalized all unauthorized access, not only the ones that the computer’s owner deems criminal. MySpace’s opinion on what violations are serious and what aren’t are simply not relevant to interpreting the statute.
Google is a multbillion dollar corporation with dozens of intelligent lawyers. It is absolutely absurd to suggest that they do not intend the plain terms of their own agreement.
I really don’t understand how you can rationalize second-guessing them on this. I’m certain they put a lot of thought and many drafts into formulating these rules — for you to suggest “that’s not what they intend” is simply not credible.
That would be true if Congress wrote a different statute. The existing statute says nothing about whether or not the agreement specifies anything.
February 12, 2010, 1:29 pmChris Travers says:
I always thought it was so that if a parent sued Google, they could claim in their defence that the access was unauthorized, not that it should be prevented and subject to prosecution.
Are you honestly suggesting that Judge Wu was wrong to throw out the misdemeanor charges against Lori Drew?
If so, had Megan Meier survived her suicide attempt, I am sure it would have been possible to convict her of enough unauthorize Google searches to put her away for the rest of her natural life! More on the vagueness problem later though.
February 12, 2010, 4:45 pmDavid Schwartz says:
Google is a wise, rational actor subjected to a large number of competing desires. They prohibit things in their terms of use because of a complex business decisions weighing any number of risks and rewards. To argue that they actually don’t want any minors to use their search service because they prohibit it in their terms of use and know what they’re doing is obviously nonsense. They do it despite the fact that they very much want this market.
February 12, 2010, 5:07 pmChris Travers says:
A note to Oren on Google terms of service and vagueness of CFAA when defined by terms of service.
Vagueness doctrine doesn’t only protect us against unintelligible laws. It also protects us against laws which are too broad to the point where they permit arbitrary enforcement against people we don’t like. In essence, the doctrine is designed to protect us against the “show me the man and I will show you the crime” mentality. If any 17-year-old who uses Google to do a search for material for a student report is guilty of a misdemeanor, then it becomes possible to prosecute just about anyone of that age simply because the activity is so commonplace. That sort of effect is not conducive to the rule of law.
There are a number of other issues as well. Contracts can be enforced entirely by discretion, meaning one could put up terms of service nobody complies with and then refer to prosecution anyone who causes problems.
I don’t think “authorization is what the ToS says it is” is any more maintainable than “authorization is complying with code-based controls.” I personally think that some sort of middle-ground is necessary. Given that terms of service are adherence contracts (generally non-negotiable), serve multiple purposes (reducing liability, defining acceptable use, etc.), I don’t think terms of service, without something more, can define authorized use for purposes of criminal law. Similarly, I think looking at code-based controls only is too narrow (because it excludes DoS, XSS, and the like). (Orin’s paper only mentions DoS once, and as a separate category of problems from unauthorized access.)
As I think about it, I would prefer to see the following elements be present in a court’s analysis:
1) CLEAR warning that certain access was subject to prosecution or otherwise clear knowledge of a lack of authorization. (circumventing code-based controls or criminal intent might satisfy this requirement, but mere inclusion of “don’t do x” in a multi-purpose document, such as a contract or an employee handbook, would not.)
2) That the specific limits detailed in #1 above of authorization posed do not pose vagueness or arbitrary prosecution problems.
In general, given the fact that contracts can be selectively enforced I think #2 would make it extremely difficult to hold any contract as defining criminal law in this way absent unusual circumstances (albeit ones this case presents).
February 12, 2010, 5:11 pmChris Travers says:
More notes on XSS and similar attacks and the question of access.
One of the rising threats to web applications is a loose collection of attacks commonly called “Cross-site scripting” or XSS for short. These generally include a number of types of attacks which require access to a system to perform but also a number which do not.
For example, if I include a javascript tag in this post and the blog engine doesn’t properly filter it out, it could be used to cause every visitor to submit content to this site (maybe make everyone post uncivil comments or the like). This sort of attack clearly requires access.
Two other forms of attack do not, however. The most important of these are Cross-Site Request Forgery (XSRF) and “clickjacking.” In neither of these cases is any direct access on my part necessary for the attack to be carried out.
In the first form (XSRF) is carried out by including tags in a web site that causes the browser to make requests to another site. One could cause a browser to purchase books from Amazon, upload a fake payment against an invoice mailed to me to a web-based accounting program, or any number of other bad stuff. One mitigating factor is that, because XSRF does not involve access, the attacker can’t generally use it to obtain information unless the request would cause the application to make such information available to the attacker in other ways (emailing, etc).
The second type (much more severe because no code-based controls in web applications are useful in preventing it) is clickjacking. In this attack a website loads another website as an invisible layer on top of it. It is set up to ensure that when buttons are clicked on the apparent web site, they are clicked on the victim web site as well. In this way you may try to play a cute game but in the process order a number of books from Amazon earning me royalties…… Once again, because I am not accessing the server, I can’t obtain any information from it that I would not normally have access to.
This seems to me to bear the same relationship to “unauthorized access” as tricking the neighbor’s kid to steal her mamma’s jewelry and give it to me is to breaking and entering…..
Maybe it is only subject to prosecution as fraud (where it meets the requirements for that charge). I don’t know. I do know it is not “unauthorized access” by a narrow reading of the statute.
February 12, 2010, 5:52 pmOren says:
I’m not sure. So far, however, I will same I’m unconvinced at your attempts to distinguish. I will say, of course, that I think Congress was wrong to write the statute is such a breathtakingly broad manner.
That is, I’m still searching for a principled way to consture the statute not to criminalize Lori Drew, consistent with the will of Congress and consistent with the concept of authorization for a particular purpose in other venues of life. I am unable to do so at the present time.
And if a USA believes that is a good use of his office’s resources, we ought to replace him with a prosecutor with more common sense.
I mean, you could easily put me away for life for aggravated speeding (it becomes jail time after the 3rd conviction in my State, I’ve probably sped down the highway every weekday for the last few years). There is no doubt a systemic problem with overcriminalization and prosecutorial discretion gone amok. I acknowledge that wholehartedly. What I don’t accept is that because of this we have to twist the meaning of the computer-use statute (or the traffic laws) to something that the legislature plainly did not intend.
It would be quite odd for them to express their desire for a particular action by making it a violation of the TOS. Perhaps this is some sort of legal genuis that eludes my small mind ….
While I agree with the merits of your point, that is most certainly not the position of the US Supreme Court. See, e.g. Connally v. General Const. Co:
There is no principle of Constitutional Law that I am aware of (again, small mind here) that forbids the legislature from criminalizing an activity simply because a large number of people engage in it. I am open to citation to the contrary.
By what other mechanism can a person gain authorization to use another person’s property except by explicit agreement? I don’t think it’s necessary to include boiler-plate language “No authorization is granted to access these systems except in compliance with these rules” — that’s plainly obvious. Lori Drew did not start from a position of having any authorization to access MySpace’s computer except as provided for by the ToS. Thus, the ToS is the sum and substance of her authorization.
First, adherence contracts are perfectly legal.
Second, the statute makes no reference to the purpose of the agreement. In fact, it does not make reference to agreements at all. It only makes reference to authorization.
1) OK then, we’ll tack on “And any access contrary to these rules is explicitly unauthorized” to all the rules (despite my position that that is entirely redundant since the ToS defines only what access is authorized with the remainder being unauthorized by default). I don’t think makes a lick of a difference.
2) This seems acceptable. We should apply some lenity here any hold that access that a reasonable person could conclude was authorized is not “unauthorized access” for the purpose of the statute. That is, I’ll bump it down a notch in scrutiny if you like.
The fact remains that access that no reasonable person could conclude was authorized is still criminal. No reasonable 17 year old could conclude that the Google TOS authorizes them to make a search, since the plain terms forbid it. That is, whatever the gray vague area, access without authorization (where the ToS does not suffice to grant that authorization) is sometimes quite clear cut.
Again, the contract does not define criminal law. It defines authorized actions.
That Congress made it criminal to access a system without proper authorization is entirely orthogonal to the manner in which authorized access is granted.
February 12, 2010, 7:12 pmOren says:
I wrote:
Just because I’m being extra generous today, we can even require this to flash in 72 point flashing red font with sirens and klaxon noises. Do you think that matters?
February 12, 2010, 7:14 pmChris Travers says:
But that raises the vagueness issues which are the Constitutional issues Prof. Kerr points out. At that point it doesn’t matter so much whether Congress intended the law to cover a certain set of issues so much as, according to current Constitutional interpretation, they don’t have the authority to reach everywhere it was intended.
Due process does not permit laws which can be enforced arbitrarily because this undermines the rule of law and allows people to be sent to jail simply due to being unpopular with the DA’s office.
Indeed, Judge Wu didn’t throw out the charges because of Congress’s intent but rather due to Constitutional problems with such prosecutions.
The first only makes sense in context to the second.
Well, it is more than that. I would argue that any behavior that the company generally tolerates REGARDLESS of whether it is banned in the terms of service cannot be subject to prosecution. If MySpace doesn’t make any substantial attempts to enforce truth in profiles, or prosecute offenders, they can’t just do so when tragedy strikes.
I would make a narrow exception to this regarding cease and desist letters. If someone has been told never to access a service again on pain of prosecution, then further access is clearly unauthorized.
The problem is that the contracts are generally permitted to be more vague than criminal laws are because the penalties and costs of getting it wrong for either side are less. Once you say “if you break this contract, you are a criminal because you accessed something in excess of authorization” then you allow the vagueness standard allowed in contract law to govern what is a criminal matter, which I don’t think is Constitutional.
There are really two options.
The first is to provide a fairly wide penumbra around contract law which is too vague for criminal matters to apply. In other words, if a behavior is within any reasonable reading of the contract, if there is a reasonable argument that it was allowed due to other contractual doctrines (justified breach, etc), or if it does not result in substantial harm, then it can only be remedied through civil lawsuits regarding contract law. If it causes substantial harm, no reasonable argument can be made that normal contractual defences would apply, AND is well outside any reasonable reading then it criminal law can apply. This is what I argue should be the case. This would narrow the scope down to things which either involve technological attacks against a program or involve truly egregious conduct.
The other option is to interpret all ambiguity in the favor of the licensee in contractual terms as well, and to apply extra scrutiny regarding unconscionable terms beyond those typically applied to adherence contracts. In essence, we could require the terms of service, to be valid at all, to adhere to the Constitutional standards of criminal statutes. This would make them next to useless however for what they are currently used for.
February 13, 2010, 12:26 amKirk Lazarus says:
How can you be liable for “auto-theft” for an inadvertent error? has the requirement for a mens rea been abolished?
February 14, 2010, 5:09 pmOren says:
Congress has the authority to reach any act taking place on an interstate telecommunication system, provided they can articulate a rational basis for doing so.
The vagueness argument does, in fact, trouble me — I concede that much. I don’t concede that the solution to the vagueness problem is to read the statute in conflict with both its plain text and the legislative history.
I already agreed to the first proviso a few posts ago — that the party should be given the benefit of a any reasonable reading of the contract. I’ll also grant you the second except — contractual doctrine supersedes the terms of the contract. Justified breach is perfectly acceptable. As to “substantial harm”, I think that’s not relevant here. Contracting parties are entitled to define substantial breach in any fashion they like — they ought to do so in a fashion they find reasonable and we should respect their determination.
Finally, I want to add that contracting parties can avoid criminal liability altogether by simply writing out the “unauthorized without” part of the TOS. For instance, MySpace could write:
Now there is no violation of MySpace’s TOS that is actionable under the statute because the statute particularly deals with unauthorized access and here MySpace has authorized all access except really malicious stuff and/or banned users.
February 15, 2010, 2:13 pmOren says:
I don’t think so. Look at my example above for the “model” MySpace agreement. The TOS explain under what terms MySpace will continue to have you as a welcome member of the community that can access their systems. The “rules” might be vague but the contractual part has all been separated out into the first clause — violation of the rules in part (B) does not automatically revoke access, it just subjects you to being banned which does.
The key point is that it is in the hands of those writing the contract to define when “unauthorized access” occurs. If they want to define it narrowly to reduce exposure to this Federal statute, they can. If they want to define it broadly, they can. Freely contracting citizens can then chose hows they want to access it.
The charge of auto theft won’t stick since there is mens rea to permanently deprive the owner.
On the other hand, knowing possession of a stolen auto is an easy conviction. The mens rea is here “when he has information which would lead a reasonable person to believe that the auto is stolen”. He has the contract, any reasonable person would read that if it says “this contract absolutely terminates at 6:00PM” that you do not have authorization to keep the vehicle beyond that time.
February 15, 2010, 2:21 pm