In a recently-filed amicus brief submitted by Oracle America Inc. before the en banc Ninth Circuit in United States v. Nosal, the important Computer Fraud and Abuse Act case I have blogged a lot about, Oracle makes the following argument about interpreting “access” and “authorization” in the context of the CFAA. The CFAA’s prohibition on exceeding authorized access and access without authorization is modeled on trespass principles, the brief reasons, so the scope of the CFAA should be interpreted by reference to the trespass principles articulated in the Restatement (Second) of Torts. According to the Oracle brief, this means that (a) computer owners can condition access to their computers using express restrictions like Terms of Service, but (b) express restrictions are only enforceable in some circumstances. The brief summarizes when express restrictions can be enforced under the tort of trespass as follows:
[Whether a written access restriction can be enforced by trespass law is a] fact-dependent conclusion drawn from the totality of the circumstances, and “it may be manifested by action or inaction and need not be communicated to the actor.” [Restatement (Second) Torts § 892(1) (1979).] see id. § 892 cmt. c. Accordingly, courts sometimes find that a written or posted access restriction has been overridden or lifted.
This common-law principle takes several forms. One is the doctrine of apparent or implied consent; another is estoppel or waiver. Courts are suspicious of posted access restrictions that by their terms apply to everyone but that in fact have been selectively enforced “against some members of the public as opposed to others”; when the signals conflict, courts may find a posted restriction ineffective. Winn, The Guilty Eye, 62 Bus. Law. at 1424. Similarly, a property owner who knowingly acquiesces in a person’s course of access may waive the right to call it a trespass. See id.; see also 75 Am. Jur. 2d, Trespass § 67 (estoppel defense). When an owner has “actual knowledge” of repeated trespasses, the owner’s “habitual acquiescence … may constitute a license for persons to enter the land, if the tolerance is so pronounced as to be tantamount to permission.” 75 Am. Jur. 2d, Trespass § 73. Community custom is especially relevant in determining apparent consent. See Restatement (Second) Torts § 892 cmt. d; cf. McKee v. Gratz, 260 U.S. 127, 136 (1922) (“A license may be implied from the habits of the country.”). Above all, commonsense and reasonableness are the guides, as they are with all totality-of-the-circumstances inquiries.
Like other established doctrines of the common law of trespass, the reasonable approach to judging posted access restrictions applies to the CFAA. And it easily answers Nosal’s policy concerns. If, as Nosal posits, it is well known that millions of employees and Internet users actually violate posted restrictions on computer and information access every day, chances are good that those restrictions are not bona fide.
I considered this argument when I was writing my Cybercrime’s Scope article in 2003, but I concluded that it’s not persuasive. The problem is that the principles of interpreting common law torts are pretty different from the principles of interpreting criminal law statutes. The CFAA is a criminal statute: Although Congress later added some civil remedies to it, the statute is primarily a criminal statute and its basic prohibitions need to be interpreted accordingly. So while it’s true that the CFAA harnesses the basic concept of a trespass, I don’t see a good reason to adopt the details of the trespass tort when interpreting the CFAA.
The void for vagueness doctrine demonstrates the problem. The scope of common law tort liability is not subject to vagueness challenges. As a result, the scope of common law tort liability can be quite unclear. That’s fine in the tort context: It’s not a big deal if a person who may be trespassing isn’t entirely sure if the posted notice is enforceable. But the void for vagueness doctrine requires at least some degree of clarity in the criminal context. Hinging criminal liability on whether the term of service violated is one that is violated as a “habit of the country” and for which there is “habitual acquiescence ” is just too unclear. No one really knows how that would be applied.
The difference between trespass onto physical land and access into a computer is a significant part of the problem. In the case of a physical trespass, we can get a sense of social norms by observing what notices are enforced. We know where we are on physical land, and can only be in one place at a time. We visually observe enforcement, and we visually observe if notices are ignored. But it’s hard to obtain knowledge as to how seriously a particular computer provider takes each provision in the Terms of Service. Users can’t generally know what Terms are are meant to be taken seriously and which aren’t. Plus, a computer user might be accessing several different computers at the same time. Users don’t have obvious ways of determining which of the dozens or even hundreds of written restrictions that might apply to them at any given time are really intended to be taken seriously. How does a computer user know which terms are violated as a “habit of the country”?
In my view, the more natural way to interpret the criminal prohibition on unauthorized access is by following how the criminal law has traditionally interpreted crimes that have an element of “without consent.” Here’s what I wrote in my 2003 article:
Although many criminal law offenses do not permit a consent defense, a few traditional crimes require absence of consent or permission as an element of the offense. For example, trespass and burglary prohibit presence on physical property without the permission of the owner; rape and sexual assault prohibit sexual penetration without the consent of the victim. In many cases, consent or the lack of consent is clear. In some cases, however, consent raises difficult legal questions. The scope of consent is particularly difficult when a perpetrator tricks the victim into granting authorization and consent, and the court must determine whether the trickery vitiates the consent. The law recognizes the victim’s consent in some contexts, but not in others.
The general approach is to focus on whether the victim actually consented to the act that occurred, regardless of whether the victim consented in reliance on representations concerning collateral matters. Courts and commentators often label this the difference between consent derived from fraud in the inducement and consent derived from fraud in the factum. When a victim agrees to allow the defendant to engage in specific conduct in reliance on a misrepresentation, the consent is based on fraud in the inducement, and the consent remains valid despite the misrepresentation. The element “without consent” or “without authorization” normally will not be met. In contrast, when a victim allows the defendant to engage in one kind of conduct but the defendant engages in a different type of conduct, the consent is based on fraud in the factum and the law will not recognize it. The element “without consent” is satisfied.
Consider a few examples drawn from prior cases. A man who borrows a car from its owner after promising that he will borrow it for only a few minutes instead takes the car for several hours. The defendant is not guilty of use of an automobile without the consent of the owner. Because the owner actually agreed to let the defendant drive the car, the misrepresentation is merely fraud in the inducement. Several common and quite disturbing examples of the distinction appear in cases interpreting the law of rape, which prohibits sexual intercourse without consent. For example, a man who falsely claims to be a doctor and convinces a woman that she must have sex with him to cure her of a serious disease is not guilty of rape, because the woman’s consent to have intercourse derives from fraud in the inducement. In contrast, a gynecologist who tricks a female patient into having sexual intercourse with him by convincing her that she merely is submitting to a nonsexual medical exam is guilty of rape because the fraud constitutes fraud in the factum. Although the circumstances of property crimes and sexual assault crimes are of course dramatically different, the same basic rule has been held to apply in both contexts: The key question is whether the victim has consented to the specific act. Misrepresentation as to a collateral matter does not suffice to satisfy the legal requirement of lack of consent.
Why is this standard relevant to unauthorized access statutes? My contention is that the distinction between circumventing code-based restrictions and breaching contract-based restrictions [such as violating terms of uervice] relates to the traditional distinction between fraud in the inducement and in the factum. The comparison may seem a bit jarring at first, as it substitutes a computer for a human victim and the nature of the harm is vastly different. But similarities exist at a conceptual level: Computer misuse laws prohibit access to a computer without authorization, whereas trespass laws prohibit physical appearance in a home without permission and (if one can pardon the comparison) rape and sexual assault laws prohibit sexual intercourse without consent. Speaking anthropomorphically for a moment, the computer is “tricked” into authorizing the defendant to access the computer, in a way conceptually similar to how a homeowner might be tricked into allowing a person into their home or a victim might be tricked into consenting to a request to engage in sexual activity. From this perspective, the fact that a user accessed the computer means that the computer must have authorized the access. The question is, was the authorization induced by a type of fraud that voids the authorization as a matter of law? What kind of fraud negates the authorization the computer granted the user?
Access based on breach of contract [such as violating written restrictions on computer use] resembles fraud in the inducement: The computer “agrees” to allow the user access, subject to some promise or condition. For example, if a user registers for an e-mail account and later breaches the terms of service, she in effect convinces the computer to grant her access based on the false representation that she will comply with the terms. The access breaches the terms of service, but the fraud against the computer is only fraud in the inducement. Following traditional principles of criminal law, the access should not be deemed “without authorization.” No criminal violation has occurred.
In contrast, access that circumvents code-based restrictions resembles fraud in the factum. The computer has not agreed to let the user access the computer. Instead, the computer is tricked into letting the user access the computer through a misrepresentation as to whether the user is accessing the computer at all. The computer may “believe” that the user is someone else, as in the case of a defendant utilizing another person’s username and password. The computer may be tricked into unwittingly giving access to the user, as in the case of a hacking exploit such as a buffer overflow attack. Both cases resemble fraud in the factum because the computer does not recognize that it is consenting to access by that particular user. The fraud in the factum voids the authorization, and the access is legally “without authorization.”
Judge Kozinski’s opinion in Theofel v. Farey-Jones , 359 F.3d 1066 (9th Cir. 2004), got some of this idea in theory, but misapplied it by relying entirely on the civil trespass tort as the basis for authorization. The result was that Kozinski construed serving an overly broad subpoena for information stored on a computer as akin to hacking into the computer for information, which strikes me as a rather bizarre result. Perhaps Nosal will provide the Ninth Circuit with the appropriate opportunity to distance the court from this implication of Theofel. For more details on this, see Kerr, Computer Crime Law 57-60 (2d Ed. 2009) (discussing the analogies to trespass analogy and consent in the context of Theofel).