The Computer Fraud and Abuse Act Should Not Apply to the Misuse of Information Accessed With Permission

• Publication year: 2022

47 Creighton L. Rev. 423. THE COMPUTER FRAUD AND ABUSE ACT SHOULD NOT APPLY TO THE MISUSE OF INFORMATION ACCESSED WITH PERMISSION

THE COMPUTER FRAUD AND ABUSE ACT SHOULD NOT APPLY TO THE MISUSE OF INFORMATION ACCESSED WITH PERMISSION

DAVID J. SCHMITT(fn*)

I. INTRODUCTION

The Computer Fraud and Abuse Act(fn1) ("CFAA") makes it unlawful when an individual improperly accesses a protected computer "without authorization" or "exceeds authorized access".(fn2) The CFAA has been the subject of conflicting and contrary judicial interpretations as to whether it is limited to violations of access restrictions, or whether it applies when an individual misuses computer information that was accessed with permission.(fn3)

The dispute whether the CFAA applies to misuse has been caused by ambiguous statutory text, which creates uncertainty as to the intent of Congress. The phrase "exceeds authorized access" is defined in the CFAA as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter."(fn4) The text can be read in two ways. First, it could refer to a user who has permission to access certain files or information on a computer, but instead accesses unauthorized files or information.(fn5) Second, it could refer to a user who has permission to access information on a computer, but who misuses the information that was accessed with permission.(fn6)

Despite clear legislative history that the CFAA was intended as an anti-hacking statute, the ambiguous statutory text regarding "exceeds authorized access" has led to a split in the federal courts as to whether the CFAA applies to misuse.(fn7) Currently the determination of whether the misuse of information accessed with permission violates the CFAA is essentially dependent on the jurisdiction making the decision. The same type of conduct has resulted in vastly different consequences depending on which court addressed the CFAA claim.(fn8) A violation of the CFAA can result in criminal sanctions,(fn9) and civil lia-bility,(fn10) so the manner in which it is interpreted has significant implications for those users faced with claims of violations.

Four United States Circuit Courts of Appeals have given a broad interpretation to the scope of the CFAA by finding it applies to the misuse of information the user had permission to access.(fn11) The United States Courts of Appeals for the First Circuit, Fifth Circuit, Seventh Circuit, and Eleventh Circuit have all adopted this broadapproach.(fn12)

Two Courts of Appeals have interpreted the CFAA narrowly.(fn13) The United States Courts of Appeals for the Fourth Circuit and Ninth Circuit have held the CFAA is limited to violations of access restrictions, and that its scope does not extend to the misuse of computer information that was accessed with permission.(fn14) Those courts have placed greater emphasis on the legislative history, the legal doctrine of lenity which requires ambiguous criminal statutes be strictly construed, and policy considerations, such as an unwillingness to transform a large number of individuals into criminals for relatively innocuous violations of computer use policies.

Section II of this Article examines statutory provisions in the CFAA that have been frequently cited in actions alleging misuse of information.(fn15) Section III reviews the legislative history of the CFAA, which demonstrates it was intended as an anti-hacking statute and therefore arguably was not intended to prohibit the misuse of information accessed with permission.(fn16)

Section IV examines the split in the United States Courts of Appeals whether the CFAA is limited to violations of access restrictions, or whether it applies when information accessed with permission is misused.(fn17) It also examines conflicting district court decisions within the Second Circuit, as that court has not specifically decided the issue.(fn18)

Section V discusses legislation that has recently been proposed to resolve the ambiguity in the CFAA.(fn19) The proposed legislation strikes the ambiguous definition "exceeds authorized access" from the CFAA and clarifies that the CFAA does not apply to misuse.(fn20)

Section VI analyzes applicable legal doctrines to interpret the CFAA.(fn21) The doctrine of lenity requires that ambiguous criminal statutes be interpreted narrowly, and therefore the CFAA should be interpreted narrowly and not apply when information accessed with permission is misused.(fn22)

Section VII discusses policy considerations and the practical consequences against broadly interpreting the CFAA to apply to mis-use.(fn23) Numerous users who engage in essentially innocuous conduct by violating computer use policies could be subject to criminal liability. A broad interpretation will also place too much discretion in the hands of prosecutors which could lead to inconsistent or discriminatory enforcement, uncertainty, and confusion as to what conduct is criminal under federal law.(fn24)

Section VIII recognizes the need for immediate resolution of the dispute.(fn25) The CFAA has significant criminal sanctions, so the dispute about whether the CFAA applies to misuse must be resolved to provide appropriate notice to the public regarding what conduct is criminal under federal law.(fn26) It can also impose civil liability for damage and loss.(fn27) Congress should pass legislation clarifying that the CFAA does not apply to misuse. Absent further action by Congress, the United States Supreme Court should grant review and resolve the judicial split in the circuit courts. The Supreme Court should follow the trend created by the recent federal court cases that the CFAA does not apply to misuse, which place greater emphasis on the legislative history, the legal doctrine of lenity, and policy considerations.(fn28) An immediate resolution is necessary, particularly given the growing use of computers in society and the workplace.

II. THE CFAA APPLIES WHEN A USER ACCESSES A PROTECTED COMPUTER "WITHOUT AUTHORIZATION" OR "EXCEEDS AUTHORIZED ACCESS"

The CFAA prohibits certain computer related conduct by a user who improperly accesses a protected computer "without authorization" or "exceeds authorized access."(fn29) The statutory provisions have been subject to significant debate and contrary judicial interpretations as to what activity is prohibited by the CFAA. Ambiguous statutory text has created uncertainty whether Congress intended it apply to the misuse of computer information that was accessed with permission. That uncertainty has led to a judicial split in the United States Courts of Appeals.(fn30)

The CFAA prohibits improperly obtaining information from "any protected computer".(fn31) A "protected computer" is defined as follows:

[T]he term "protected computer" means a computer -

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside of the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States . . .(fn32)

As noted, a "protected computer" includes any computer "used in or affecting interstate or foreign commerce or communication."(fn33) Under this broad definition, the CFAA has been interpreted to apply to any computer connected to the Internet.

In United States v. Trotter,(fn34) the court stated, "Congress clearly has the power to regulate the [I]nternet, as it does other instrumentalities and channels of interstate commerce."(fn35) The "Internet is an international network of interconnected computers," and "[a]s both the means to engage in commerce and the method by which transactions occur, 'the Internet is an instrumentality and channel of interstate commerce.'"(fn36) As such, the CFAA was enacted within Congress's power under the Commerce Clause and is constitutional.(fn37) Accordingly, the CFAA effectively applies to any computer connected to the Internet.(fn38)

The CFAA as originally enacted imposed criminal penalties. In 1994, Congress amended the CFAA to provide civil remedies.(fn39) The CFAA allows persons who suffer damage and loss by violations of the statute to recover compensatory damages and obtain injunctive relief, provided certain conditions are satisfied:

(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses(fn40) (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). . . .(fn41)

There are several provisions in the CFAA frequently cited in actions alleging misuse of information. The provisions 18 U.S.C. §§ 1030(a)(2), (a)(4), and (a)(5) in particular have been relied on, although they have been subject to contrary judicial interpretations as to whether the CFAA applies when information that was accessed with permission is misused.(fn42)

...