BREAKING INTO AN EMPTY HOUSE: A THEORY OF REMEDIES FOR CFAA UNAUTHORIZED ACCESS TO NON-PROPRIETARY INFORMATION.

• Author: Rachum-Twaig, Omri
• Position: Computer Fraud and Abuse Act of 1986

1. INTRODUCTION

   In two appeals to the Court of Appeals for the Ninth Circuit, (1) the court was requested to calibrate and clarify the scope of the Computer Fraud and Abuse Act's (CFAA) unauthorized access to computers doctrine. (2) These two cases focus on a recurring set of circumstances that articulates a significant tension between the CFAA unauthorized access doctrine and basic understandings of (lack of) property rights in information. (3) In these types of circumstances, plaintiffs seek to restrict defendants from accessing their computers for the purpose of obtaining non-proprietary information. (4) The reason that the CFAA doctrine is invoked, rather than copyright, trade secrets, or similar property-related doctrines, is that the use or taking of the information, in and of itself, is not legally protected. (5)

   This article seeks to explore such tension by reviewing the doctrinal development of both the CFAA's unauthorized access doctrine and the parallel trespass to chattels doctrine, as well as the underlying theoretical justifications for such doctrines. Specifically, we show that much of the tension is manifested in the question of applicable remedies for breach of the CFAA's unauthorized access provisions. This is because some types of remedies may inadvertently create de facto property rights in otherwise nonproprietary information. (6) The need to distinguish between remedies for CFAA violations relating to proprietary and non-proprietary information is dictated both by theory and legislative history. (7) The latter specifically mentioned that different types of information require different legal treatment. (8) The above discussion will allow us to highlight some difficulties in current case law and to suggest a taxonomy of the available remedies to plaintiffs in such cases, as well as to offer guidelines for choosing the right remedies model. We believe that such guidelines could be useful in deciding both pending and future cases revolving around such circumstances.

   To gain a better understanding of the tension raised in the above circumstances, consider the following typical case: the plaintiff, a major social platform, allows the public to access its computers for the purpose of using the platform. (9) For this purpose, it grants access rights to non-proprietary information stored on these computers. (10) At a certain point, the plaintiff identifies that the defendant, a corporate entity, is accessing the information for the purpose of collecting and then utilizing the information for its own business purposes. (11) In most circumstances, such use of the information is in violation of the plaintiff's terms of use for the platform. (12) Once the plaintiff detects such a violation, it sends the defendant a cease and desist letter or attempts to technologically block the defendant from accessing its computers. (13) If the violation is repeated, the plaintiff then seeks legal redress. (14) Faced with such cases, the court needs to first decide whether a legal rule was violated, and if so, what the adequate remedy is. (15) If the court decides to grant injunctive relief or disgorgement of profits from the use of such information, this effectively means that a de facto property right in the information is granted to the plaintiff, although no such right exists under law. (16) If no remedy is granted at all, however, this effectively undermines the unauthorized access provision with respect to plaintiff's computers. (17)

   To properly analyze this tension and suggest valid ways to relieve it, we begin with reviewing existing case law revolving around such circumstances. This review traces back to cases brought not under CFAA doctrine, but rather under the common law trespass to chattels doctrine, which was applied to cyberspace. (18) We show that courts gradually limited this doctrine to a point where it does not provide effective means for plaintiffs to restrict defendants' access to their computers. (19) The case law then progressed to invoking the CFAA unauthorized access doctrine due to the fact that this is a statutory rule tailored to cases of online access to computers. (20)

   We show that while the current understanding of what constitutes a violation of the CFAA unauthorized access provision is relatively clear to courts, the question of appropriate remedies for such violations is seldom addressed by courts, and the results are largely inconsistent and varied. (21)

   Discussing the underlying theories of such doctrines, we believe, helps to explain both what constitutes violations of the CFAA unauthorized access provision and, more importantly, how the question of remedies should be resolved in various circumstances. The crux of the question is the interrelations between rules that protect the property itself and those that protect the boundaries in which property lies. We visit two main theoretical approaches to property in order to extract their application to such rules of boundaries. First, we consider autonomy-based theories that focus on a person's autonomy and ability to exclude others. Second, we discuss economic analysis as a tool to weigh the costs and benefits of boundary rules vis-a-vis the protection of property itself.

   Building on these theories, we suggest a novel account of why and how boundaries should be protected regardless of the protection of what lies within them. In this way, we resolve the apparent tension associated with the protection of boundaries even if there is no protected property within them while adding to existing economic literature on the subject and suggesting a new analysis of the matter under autonomy theory.

   Using the conclusions from the theoretical discussion, we present a taxonomy of alternative potential remedies for CFAA violations: no remedy for unauthorized access to non-proprietary information, injunctive relief and enforcement costs only, and full restitution and disgorgement of profits. Based on the theoretical conclusions, we suggest guidelines for choosing the right model in different circumstances. We first suggest a novel criterion to distinguish between appropriate remedy models. We believe that the distinction between private and publicly available information has a significant effect on the appropriate model to be chosen, and we explain how this distinction should be understood and applied. The novelty in our formulation of the distinction is that unlike approaches that view the existence of password protection as demonstrating that information is private, (22) we believe that the benchmark for the distinction is whether the access to the information was granted to an indeterminate public or to a pre-defined set of individuals. In other words, it is not the protection measures taken with respect to the non-proprietary information that matter, rather the choice of the computer owner to grant access to such information to the public.

   On the basis of the private-public dichotomy, we suggest that injunctions and enforcement costs be granted in cases of unauthorized access to private non-proprietary information. When it comes to publicly available non-proprietary information, we believe that the no-remedy model should be applied, in the sense that no injunction should be granted to restrict access in such cases, and we support this claim through the analysis of both theory and positive law relating to injunctive relief in general. However, this is a no-remedy model only to a certain extent. In contrast to other approaches, we believe that some remedial redress is theoretically justified in cases of such violations of the CFAA unauthorized access provision. We use an analogy to the doctrine of easement of necessity with respect to landlocked property to propose a model providing for judicially determined access rights subject to access fees paid to the computer owner. The suggested model is conditional on the defendant securing a court order allowing the access prior to violating the CFAA access provision. In cases where defendants fail to do so, we suggest reverting to the injunction and enforcement costs model.

   The remainder of the Article will proceed as follows: Part II will review existing case law on trespass to chattels and the CFAA unauthorized access provision; Part III offers a theoretical analysis of the protection of boundaries, regardless of whether they contain property, based on both autonomy based and economic theories; Part IV outlines a taxonomy of alternative potential remedies for CFAA violations based on the statutory language; Part V provides the guidelines for choosing the appropriate remedies model in various circumstances focusing on our account of the private-public dichotomy; and finally, Part VI concludes.

2. RECENT HISTORY & CURRENT DOCTRINE: FROM TRESPASS TO CHATTELS TO CFAA UNAUTHORIZED ACCESS

   In this Part II, we offer a descriptive account of the doctrinal history of two causes of actions used in cases where plaintiffs seek to prevent defendants from accessing their otherwise non-proprietary information. The first wave of cases revolved around the trespass to chattels doctrine, whose applicability courts limited over time to a point where it became almost un-actionable. (23) The second wave of cases, which is currently at its peak, revolves around the CFAA unauthorized access doctrine. (24)

   The questions that the two doctrines raise are quite similar, but there is a key difference between the two, namely that while the trespass to chattels doctrine is based on a general common law cause of action, (25) the CFAA access provision is a statutory doctrine specifically tailored to cases involving unauthorized access to computers. (26) In this sense, as we shall see, even though the second wave of CFAA claims was a continuation of the first wave to a great extent, courts found it harder to limit the doctrine and reached to a point where it has substantial applicability, also to cases of access to...