The federal computer crime statute criminalizes accessing a computer “without authorization” or “exceeding authorized access,” with the important caveat that no one seems to know what it mean to access a computer “without authorization” or to “exceed authorized access.” See 18 U.S.C. 1030. The concepts are particularly tricky in the case of a written restriction on computer access. If a computer owner gives you permission to access a computer for a particular purpose or in a particular way, and you access the computer in ways contrary to those express limitations, does that violation render the access unauthorized? This was the main issue in the Lori Drew case, involving the violation of MySpace’s Terms of Service: The Government’s theory in that case was that an Internet user who violates MySpace’s TOS was thereby accessing the computers without authorization. The District Judge tossed the charges on the ground that this theory would render the statute unconstitutionally vague.
Now consider the Fifth Circuit’s decision yesterday in United States v. John, authored by Judge Owen and joined by Judge Smith and Judge Haynes. John was an account manager at Citigroup who provided her half-brother with customer account information so he and his friends could run up fraudulent charges. In addition to charging John with credit card fraud and conspiracy — the obvious charges in such a case — the government also charged John with unauthorized access to Citigroup’s computers. The government’s theory was that by accessing Citigroup’s computers to further a fraud, in violation of Citigroup’s apparent policies that employees could access information only for work-related reasons, John had committed an unauthorized access. The jury convicted on all counts.
On appeal, John challenged her conviction for unauthorized access on the theory that she was authorized as an employee to access the computer, as [...]