In a recent post, I offered a series of amendments to narrow the Computer Fraud And Abuse Act. One amendment woud eliminate the concept of “exceeds authorized access” and instead limit the concept of unauthorized access to “access without authorization.” I offered the following definition of “access without authorization” that would be required for most misdemeanor violations of the CFAA:
the term “access without authorization” means to circumvent technological access barriers to a computer or data without the express or implied permission of the owner or operator of the computer;
The good folks at the Electronic Frontier Foundation took my proposal as a starting point and then added a tweak:
We basically took up former DOJ attorney and law professor Orin Kerr’s suggestion that CFAA should just do away with the phrase “exceeds authorized access” and define for the first time access “without authorization.” This definition should encompass all conduct considered “unauthorized.” [But] we also clarified the definition of “without authorization” to make sure the CFAA doesn’t penalize people who have permission to access data but use light technical workarounds to access that data in an innovative way. Since many of these techniques, such as changing IP addresses, have general application to protect the privacy of the user, they should not be cause to charge a felony.
Here’s the relevant additional language proposed by the EFF in italics:
The term “access without authorization” means to circumvent technological access barriers to a computer, file, or data without the express or implied permission of the owner or operator of the computer to access the computer, file, or data, but does not include circumventing a technological measure that does not effectively control access to a computer, file, or data.
Jennifer Granick has since weighed in with a thoughtful post. Jennifer offers the following explanation for why she prefers EFF”s language to my own:
Orin’s suggestions are really important. He streamlines the statute, reduces the changes that minor conduct will be the basis for a felony prosecution and deletes the language in the statute that has been most abused. However, by focusing purely on whether the service operator implements technological access barriers, [Orin’s] proposal risks a similar problem to the one that the current statute has, giving server owners plenary authority to criminalize the way members of the public interact with information made available online, but through “technological access barriers” rather than merely terms of service and employee agreements. There are many situations where otherwise law abiding people arguably seek to evade technological access barriers, but which should not be crimes.
This is why I favor the language suggested by the EFF. Their proposal builds on Orin Kerr’s good work, but further clarifies the definition of “without authorization” “to make sure the CFAA doesn’t penalize people who have permission to access data but use light technical workarounds to access that data in an innovative way.” . .. [The EFF’s] “effectively control access” language is pulled from the anti-circumvention provisions of the DMCA, 17 U.S.C. 1201. There are a lot of problems with section 1201, but “effectively control access” has been interpreted to mean that if the user otherwise has unfettered access to protected information via one route, technological controls on a particular manner of access are not given the force of law. Lexmark Int’l, Inc. v. Static Control Components, Inc., 387 F.3d 522 (6th Cir. 2004). . . .Thus, for otherwise unprotected information, if the computer server and information are made freely accessible to the user, digital attempts to control or condition the public’s manner or use of that information will not carry the force of CFAA punishment behind them.
Granick’s helpful post on some of the ambiguities of “code-based restrictions” provides a great opportunity to run through some of the most interesting fact patterns that have come up — either in cases or hypos — on where the border should be for CFAA liability. I’m going to run through some of the major examples, and I would like readers to answer in the poll whether they think the act of access should be legal (authorized access under the law) and which ones you think should be prohibited (“access without authorization”). Then feel free to offer thoughts in the comments, of course.
To make sure we’re on the same page, understand that the issue here is which of these examples should as a matter of policy be classified as (a) categorically legal under the “unauthorized access” prongs of the CFAA or (b) generally sufficient to establish some form of misdemeanor liability and (if additional elements are satisfied) potentially qualify for felony liability. Importantly, don’t worry for now about the statutory language, or which examples might be covered by which proposal. Instead, just tell me which examples you think should count as permitted authorized access and which should count as not permitted unauthorized access. In a subsequent post, we can reason backwards from those outcomes and come up with the best way of drafting the standard for “access without authorization” in light of which examples we think should be prohibited.
Here are six examples:
(1) Sally has an web-based e-mail account that she uses for personal e-mails. Joe suspects that Sally uses a common password that offers very little security, as the e-mail provider does not impose any restrictions on what passwords subscribers can use. Joe wants to teach Sally about good password practices, so he goes to her login page and (without her permission) tries the password “password.” That is in fact Sally’s password, so Joe is able to log in see Sally’s e-mails. In your view, should accessing Sally’s e-mail be considered permitted authorized access or prohibited unauthorized access?
(2) Sally sets up a “CAPTCHA” gate designed to ensure that only humans and not computers get access to her website where she is offering tickets for sale to her upcoming concert (only two tickets can be sold per person). Joe wants to buy 1,000 tickets to the concert so he can scalp them for a profit, so Joe writes a script designed to visit the website and guess at the correct letters and numbers. Use of the script allows Joe’s computer to bypass the CAPTCHA gate and purchase 1,000 tickets in a short period of time. In your view, should use of the script to bypass CAPTCHA and purchase the tickets be considered permitted authorized access or prohibited unauthorized access?
(3) Sally runs a news website and gives visitors five free visits a week as determined by a cookie placed on the visitor’s computer. If a person tries to visit more than five times in a week, however, the website blocks access and asks the user to purchase a subscription. Joe visits the website many times a day; when the site blocks access, he simply cleans out his cookies and keeps visiting. In your view, should this be considered permitted authorized access or prohibited unauthorized access?
(4) Sally has a website with pictures of her most recent party. Access to the website is protected by a password. Sally e-mails her friend who attended the party and invites them to visit the page and look at pictures using the password “sallysparty.” Joe did not attend the party but he is able to guess the password; he uses the password and sees the pictures. In your view, should using the password to see the pictures be considered permitted authorized access or prohibited unauthorized access?
(5) Sally is a college admissions counselor who decides to let applicants know if they have been admitted by sending them a link to a unique URL, such as www.college.edu/?shva=1#decision/13c9e80c03a4a673 A person who visits the URL will see a letter either admitting them or rejecting them. Joe wants to know who has been admitted to the college, so he he writes a script that queries the website at each of the possible URLs and collects the letters indicating the admissions decisions of all 5,000 applicants. In your view, should accessing the college site to collect all the decisions be considered permitted authorized access or prohibited unauthorized access?
(6) Sally runs a free social networking site in which users must register and obtain an account. The Terms of Use of the website say that each user can have only one account, and that they must not use the social networking site for commercial purposes. Joe signs up for an account and uses the site to sell his products. In response to complaints about this commercial use, Sally bans Joe’s account. Joe responds by signing up for a new account with a new name, and he then uses the new account to sell his products. Other users complain, so Sally bans Joe’s new account. Joe responds by signing up for a third account under a third name, and he accesses Sally’s social networking site and again uses the site to sell his products. This time, however, Joe acts in ways that keep complaints to a minimum, and Sally is never notified that Joe is back using the site. In your view, should creating the third account and accessing the site using it be considered permitted authorized access or prohibited unauthorized access?