The federal computer crime statutes punish unauthorized access to a computer. As regular readers know, courts are hopelessly divided on what this language means, and in particular what makes an access to a computer authorized versus unauthorized. In Cheng v. Romo, 2012 WL 6021369 (D. Mass. Nov. 28 2012), Judge Casper authored an opinion on an interesting wrinkle that I’ve pondered but that hasn’t come up before in published decisions: How do computer crime statutes apply when one party gives his password to another party for some limited uses, but the latter party uses the password for broader uses? Is the accessing with the password but beyond the implicit or explicit limit “unauthorized” for purposes of the computer crime laws?
Here are the facts of the new case. Cheng and Romo were doctors who worked together. Cheng used a personal Yahoo e-mail account for work purposes. Romo sometimes needed to access work-related documents that had been sent to Cheng’s Yahoo account, so Cheng gave Romo his password. Cheng didn’t place explicit limits on when Romo could access his account, but it was apparently understood between the two of them that Cheng gave Romo his password so she could access his account for work-related reasons. Fast forward several years later, and Romo’s relationship with Cheng and the company where they work has soured. Romo leaves the company, and later sues the company — as does Romo’s husband. Romo becomes eager to know what is happening at the company, so she uses the password Cheng gave her and logs in and reads Cheng’s e-mail. Romo felt “very uncomfortable” about accessing Cheng’s e-mail account so many years later, for reasons clearly not foreseen by Cheng. On the other hand, he had given her his password. Cheng later found out about Romo’s access to his e-mail account, and he sued her under the Stored Communications Act, 18 U.S.C. 2701, which is an unauthorized access statute that is specific to e-mail accounts that has both civil and criminal provisions. In the new ruling, District Judge Denise Casper denied Romo’s motion for summary judgment on the ground that the facts are in dispute: It’s not sufficiently clear what the agreement was between Cheng and Romo or what Romo’s state of mind was when accessing the account.
Judge Casper’s denial of summary judgment certainly seems correct given the factual uncertainty. More broadly, I suspect that the mens rea requirement will answer a lot of shared password situations. Because the statute requires intentional unauthorized access, the statute is not violated unless the defendant acted intentionally with respect to the illegal conduct. With that said, it’s not entirely clear what the underlying dividing line is between legal and illegal. One approach would be to follow the scope of agency granted by the register user. If A gives B permission to access his account with condition X, perhaps any accessing beyond the scope of condition X is prohibited by the statute. Another approach would be to track the terms of service of the provider: If the e-mail provider says that no one can share a password, for example, perhaps any accessing an account registered by another person is an unauthorized access. Or perhaps some other standard is appropriate, or some combination of these standards. (My instinct is to say that the scope of agency granted by the registered user controls, and that Terms of Service are irrelevant, but I’d have to think more about the former.) And whatever standard is adopted as a matter of law, the significance of the mental state requirement will vary along with it. The statute prohibits intentionally doing the unauthorized thing, not being aware that one is acting wrongfully or violating the law, so the standard of “intentionally” hinges on what standard is used to define authorization.
Fascinating issues. It will be interesting to see if the case goes to trial, and if so, if Judge Casper and/or the First Circuit will develop more of the legal issues down the road.