The Code-based Interpretation of Authorization: an Incomplete Picture

• Jurisdiction: United States,Federal
• Publication year: 2015
• Citation: Vol. 10 No. 3

Washington Journal of Law, Technology and Arts Volume 10, Issue 3Winter 2015

The Code-Based Interpretation OF Authorization: An Incomplete Picture

Nicholas R. Ulrich(fn*) © Nicholas R. Ulrich

ABSTRACT

The definition of authorization under the Stored Communications Act raises questions about implied authorization in situations where someone fails to secure an email account properly. The few cases that have addressed this issue under the federal act or its state equivalents have not created a bright-line rule. Instead, the question of authorization has been highly fact-dependent. Two leading interpretive theories have emerged on the question of authorization: the code-based theory and the trespass theory. While the code-based interpretation of authorization seems pleasing because it appears to provide highly predictive outcomes, it fails in some circumstances. This failure is especially obvious when someone inadvertently and unintentionally gives someone else permanent access to an email account by, for instance, saving their username and password in the browser of a shared computer. Courts interpreting cases in this context implicitly reject the code-based interpretation of authorization, which would provide no remedy, in favor of the trespass theory. Ultimately, the code-based model does not provide enough flexibility to fit all situations in which the courts wish to provide a remedy. The best test, therefore, involves aspects of both theories.

TABLE OF CONTENTS

Introduction .................................................................................. 222

I. Background ........................................................................... 223

A. The Stored Communications Act ..................................... 223

B. Civil Cause of Action ....................................................... 224

C. State Statutes .................................................................... 224

II. Courts Apply Two Interpretations of Authorization ............ 225

A. The Code-Based Interpretation is Narrow in Scope ........ 225

B. The Trespass Theory is a More Fluid Model ................... 226

III. Implied Authorization is More Complicated than the Code-Based Interpretation Allows ................................................. 227

A. The Context in which an Email Account is Inadvertently Left Open Demonstrates the Incompleteness of the Code-Based Theory of Authorization ................................................ 227

B. The Context of a Computer Shared Between Spouses Demonstrates the Predictive Appeal of the Code-Based Interpretation ................................................................. 230

C. Cases in which a Person Inadvertently Grants Permanent Access toSomeoneElseDemonstrateCourts' Unwillingness to be Constrained by the Code-Based Model ................ 231

IV. The Appropriate Approach to Authorization Looks to Both the Code-Based and Trespass Theories ...................................... 234

Conclusion ................................................................................... 235

INTRODUCTION

At a time where anything and everything is done online, and when our computer, phone, or tablet can store all of our private email accounts and passwords, when do we implicitly grant someone else authorization to access that information? The question is not as clear-cut as some would like to think. There are two models of interpreting the ultimate question of what constitutes authorization under the federal Stored Communications Act ("SCA"): the code-based theory and the trespass theory. The code-based theory relies on whether the user bypasses code-based protections of the computer or system, whereas the trespass theory analogizes to trespass law to determine implied authorization. Depending on the facts of the case, the outcome may necessarily be different depending on which model is used. While the code-based theory is growing in popularity, it fails to provide a remedy in all cases where society and the courts appear to see the need for one. In those circumstances, the courts implicitly reject the code-based interpretation in favor of the more fluid trespass model, often leaving the ultimate determination of implied authorization to the jury.

I. BACKGROUND

As technology developed, privacy protection laws needed to as well. A wiretap statute that only penalized voice interception proved inadequate once communications started becoming electronic and digital.(fn1) Further, courts lacked guidance as to what extent common law protections extended to electronic communications. Recognizing these problems, Congress passed the Electronic Communications Privacy Act ("ECPA") in 1986.(fn2) This Act expanded the Wiretap Act to include the "interception" of electronic communications.(fn3) Congress also recognized that electronic communications are not always in transit; service providers also place them in temporary storage.(fn4) The ECPA, therefore, included the Stored Communications Act to protect communications in electronic storage.(fn5)

A. The Stored Communications Act

Congress passed the Stored Communications Act ("SCA") to extend privacy protections to electronic communications stored on a server that provides email or other electronic communication service.(fn6) The Act provides that whoever "(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility . . . shall be punished . . . ."(fn7)

The classic problem Congress designed the SCA to address is when an individual hacks into an email provider and reads another individual's emails. As one departs from the archetypal example, however, the analysis becomes more complicated. This Article does not attempt to answer the ultimate question of when a person can and cannot implicitly have authorization. Instead, this Article attempts to demonstrate the highly fact-dependent nature of the inquiry.

B. Civil Cause of Action

The SCA provides for a civil cause of action, which allows persons who are "aggrieved" by the violation of the SCA to recover damages from the violator.(fn8) Notably, the civil cause of action requires a lesser mens rea: from intentional to either "knowing or intentional."(fn9) The SCA also guarantees a minimum of a $1,000 recovery, grants the court power to award the prevailing party costs and attorney's fees, and allows for the possibility of punitive damages if the conduct was "willful or intentional."(fn10)

C. State Statutes

Certain states have adopted comparable statutes to the SCA.(fn11) For example, New Jersey expanded its Wiretap Act to include language equivalent to that of the federal SCA.(fn12) While New Jersey's version has a different grammatical structure than its federal counterpart, the phrasing and requirements are virtually identical.(fn13) Further, New Jersey's version of the SCA also provides for a civil cause of action for a violation by any person "aggrieved by any violation" of the...