CRIMINAL TRESPASS AND COMPUTER CRIME.

• Author: Sacharoff, Laurent

TABLE OF CONTENTS INTRODUCTION 573 I. AN OVERBROAD STATUTE 578 A. The CFAA 578 B. Examples of Its Breadth 583 II. AN UNDUE FOCUS ON "WITHOUT AUTHORIZATION" 587 A. A Misdiagnosis 587 B. A Code-Based Solution? 590 1. The Original Code-Based Test 591 2. The Refined Code-Based Test 592 3. hiQ Labs 592 C. Complex Case Law 595 D. Dissenting Voices 597 III. THE CFAA As A CRIMINAL LAW 599 A. A More Natural Division 600 B. A Mens Rea of Knowingly 601 1. Step One 601 2. Step Two 604 3. Step Three 604 C. An Enhanced Knowingly 606 D. Mistake of Law 607 IV. LESSONS FROM STATE CRIMINAL TRESPASS 610 A. Why Criminal Trespass? 611 B. Criminal Trespass--Mens Rea 614 C. Enhanced Mens Rea 615 D. Personally Communicated Notice and the CFAA 617 E. Without Authorization 620 V. APPLIED TO CFAA CASES 624 A. Van Buren v. United States 625 B. Jury Instructions 629 C. Public Platforms 631 VI. THE PROBLEM WITH A CODE-BASED REGIME 633 A. A Code-Based Regime Is Vague 633 B. The Hacker Paradigm Amended Away 638 VII. CRIMINAL TRESPASS: A POOR MODEL 640 CONCLUSION 646 INTRODUCTION

The Computer Fraud and Abuse Act (CFAA) criminalizes the simple act of computer trespass. (1) It targets anyone who "intentionally accesses a computer without authorization." (2) The defendant need not have a bad motive or an intent to gain, nor cause any harm or damage to the computer or its owner. This simple trespass provision, section 1030(a)(2)(C), remains the most frequently charged crime of the CFAA subsections. (3) It is also the most frequent count in analogous civil lawsuits. (4)

Scholars (5) and courts (6) have rightly sounded the alarm at the apparent breadth of this trespass provision and its potential to criminalize everyday behavior. They have pointed to the term "without authorization" as the culprit. They call it vague and unconstitutional; they say it fails to provide notice, especially when it rests upon obscure terms of service. (7) For example, Facebook's terms of service prohibit those under thirteen years old from creating an account. (8) If a twelve-year-old child creates a Facebook account, has she committed a federal crime because she "access[ed] a computer without authorization"? (9)

Many of these scholars have long advocated for a particular solution: courts should hold that terms of service can never establish that access is without authorization. (10) Instead, many have argued for a code-based test. Access is without authorization only if the intruder circumvented some code-based barrier, such as hacking a password. (11)

Until very recently, courts had flirted with this code-based test, but declined to formally adopt it. (12) Then in September 2019 came a bombshell. The Ninth Circuit in hiQ Labs v. Linkedln adopted, in part, this code-based test. (13) The court held that accessing a site to scrape millions of profiles against the express wishes of the platform likely does not violate the CFAA because the information is not protected by a password login or other authentication mechanism. (14)

Courts and scholars misdiagnose the problem as arising from the element "without authorization" and propose the wrong solution in the form of a code-based test. (15) At the same time, they often ignore the mens rea requirement of the statute (16) or fail to recognize its full potential. (17) Orin Kerr has highlighted this problem: "Courts have not explored the role of mental state in establishing liability for computer trespass." (18)

This Article, therefore, argues that we should focus on the mens rea of the CFAA. Doing so will exempt from prosecution the vast majority of examples given as potential unjust applications of the CFAA. When properly interpreted, the CFAA applies a mens rea of knowingly to the statute's element "without authorization." An individual must know that her intrusion is "without authorization." This stringent mens rea requirement will spare the unwitting twelve-year-old Facebook user who creates an account unaware of the prohibition.

Now the text of the CFAA uses the mens rea term "intentionally." (19) But, as I detail below, this term collapses into knowingly when applied to "without authorization." (20)

A proper appreciation of the CFAA's mens rea of knowingly leads to several conclusions. First, it undermines the common argument that "without authorization" in the CFAA is unconstitutionally vague because that argument rests primarily on lack of notice. A mens rea of knowingly means that an individual does have actual notice that her access is without authorization. Indeed, in the physical world, court after court has held that criminal trespass laws are not unconstitutionally vague. (21) "Without authorization" is perfectly comprehensible--it means "stay out." (22)

Second, a mens rea of knowingly imports a kind of mistake of law defense into the CFAA. Suppose an individual lacks authorization because of operation of some other law, regulation, or even simply a proper interpretation of a platform's terms of service. The mens rea of knowingly requires that the defendant be aware of these other sources, such as some other law, and subjectively understand that this other law, regulation, or term of service prohibits her access. She must grasp that the effect of this other law is to revoke her authorization. (23)

Third, this Article shows that federal courts often instruct juries incorrectly concerning mens rea. Judges leave juries unaware they must find that the defendant knew her access was without authorization or that she exceeded authorization. (24) The jury instructions instead suggest that the government must prove that the defendant's intent related to the conduct of accessing the computer only, and if that intentional access was also without authorization, the defendant is guilty--without the additional showing that the defendant knew she lacked authorization. Below I illustrate this critical failure with an Eleventh Circuit case pending before the Supreme Court in its October 2020 term, Van Buren v. United States. (25)

Finally, this mens rea of knowingly will render unnecessary a code-based regime. True, if a person hacks into a system, that fact might be strong evidence that she knew her access was without authorization, but the touchstone remains knowledge. A hack is neither necessary nor sufficient to establish knowledge and is therefore not an appropriate test.

To support my interpretation of the CFAA, this Article dives deeply into the statute's text, legislative history, and reliance on the Model Penal Code. This Article has the advantage of the Court's recent pronouncement on federal mens rea in Rehaif v. United States and applies its holding and analogous reasoning here. It also carefully considers state criminal trespass laws in the physical world to lend further support to the mens rea approach. (26)

My proposal will greatly simplify the case law muddied by a focus on "without authorization" and courts' baroque redefinition of that term. (27) Different circuits have split on the meaning of the term "without authorization," along numerous fault lines, (28) and even the case law within the Ninth Circuit has become nearly incoherent. (29) The courts have taken a plain meaning term, "without authorization," and made it vague. An effective mens rea reduces the ambit of the statute far more simply and effectively than does a focus on the term "without authorization."

This Article ends with a coda, somewhat in tension with the rest of the Article but important nevertheless. The bulk of this Article accepts the CFAA as written and suggests the best interpretation based upon ordinary tools of statutory interpretation and construction. That interpretation also happens to ameliorate many of its potentially unjust applications as a happy byproduct.

But even my proposed interpretation leaves many unjust outcomes. The coda to this Article, therefore, makes a somewhat different argument: Congress should abolish the trespass provision of the CFAA. The provision will always remain unjust because at bottom, it criminalizes mere presence without any other harm, such as damaging the target computer or stealing valuable information. This coda sketches the history of unjust criminal trespass cases in the physical world to illustrate this problem.

In Part I, this Article surveys the breadth of the CFAA trespass provision using multiple examples. Part II surveys the diagnosis and solution by courts and other scholars: their undue focus on the term "without authorization" and the code-based regime as their proposed solution. Part III argues instead that we should focus on the CFAA's mens rea, why knowingly applies to "without authorization," and how powerful this mens rea can be. Part IV draws upon state trespass statutes and case law to reach similar conclusions. Part V applies these lessons to typical CFAA scenarios. Part VI directly challenges the key justifications for a code-based approach, particularly in light of my own proposal. Part VII draws the final lesson from criminal trespass law in a coda: computer trespass suffers from many of the same injustices as its physical world analogue. Rather than trying to fix the CFAA to conform more comfortably with the criminal trespass analogy, we should abolish its trespass provision in order to avoid importing criminal trespass's pathologies.

1. AN OVERBROAD STATUTE

   This Part shows how the CFAA has evolved into an extremely broad statute that criminalizes simple trespass to any computer merely to view any type of information. It shows how this breadth can lead to unjust applications with particular examples.

   1. The CFAA

      The CFAA criminalizes simple trespass in section 1030(a)(2)(C)--intentionally accessing a computer without authorization. (30) It also requires that a person obtain information, but since observing information suffices, (31) this element adds almost nothing. That is, the trespass provision of the CFAA almost completely parallels simple criminal trespass...