Without authorization

Many of the criminal offenses contained within the Computer Fraud and Abuse Act (CFAA) require that an intruder either access a computer without authorization or exceed authorized access. The term without authorization is not defined in the Act and one court found its meaning "to be elusive."

The legislative history of the CFAA reflects an expectation by Congress that persons who exceed authorized access are likely to be insiders, whereas persons who act without authorization are likely to be outsiders. Outsiders are intruders with no rights to use a protected computer system, and, they are subject to a wider range of criminal prohibitions that insiders who merely act in excess of their authorization. Those who act without authorization can be convicted under any of the access offenses contained in the CFAA (18 U.S.C. § 1030(a)(1)-(5)), and can be punished for any intentional, [reckless]], or other damage they cause by their trespass."

"Authorized" is a fluid concept. Even when authorization exists, it can be withdrawn or it can lapse. In some instances, a court may invoke agency law to determine whether a defendant possessed or retained authorization to access a computer.

In Shurgard, employees were found to have acted "without authorization" when they accessed their employer's computers to appropriate trade secrets for the benefit of a competitor. The court applied principles of agency law, and concluded that the employees' authorized access to the employer's computers ended when they became agents of the competitor.

Notably, Shurgard, Citrin, Vi Chip, and Lockheed all involved employees who were accused of abusing &mdash; e.g., selling, transferring, or destroying &mdash; data to which they had authorized access as part of their jobs. As a result, the plaintiffs were unable to establish that the defendants exceeded authorized access. Instead, in each of these cases the plaintiffs attempted to argue that access became unauthorized when the employee's purpose was not to benefit the employer. Essentially, each argued by reference to the Restatement (Second) of Agency that when the agent's duty of loyalty to his principal was breached, the relationship was terminated and subsequent access was unauthorized. To prevail under this theory, a plaintiff must convince the court that the relationship was essentially terminated &mdash; i.e., the authorization to access the data was lost—even while the employee was still technically in its employ. The courts in Shurgard, Citrin, and Vi Chip agreed with this rationale, but the court in Lockheed did not.

One court found that insiders acted without authorization when they violated clearly defined computer access policies.

Cases
In United States v. Morris, 928 F.2d 504 (2d Cir. 1991), Morris was convicted under a previous version of section 1030(a)(5), which punished "intentionally access[ing] a Federal interest computer without authorization." 18 U.S.C. § 1030(a)(5)(A) (1988), despite the fact that Morris had limited authorization to use the system.

In United States v. Ivanov, 175 F. Supp. 2d 367 (D. Conn. 2001), a Russian intruder broke into an American company's customer databases and was found to have acted without authorization.