The IT Law Wiki
(New page: The term ''exceeds authorized access'' is defined by the Computer Fraud and Abuse Act (CFAA) to mean "to access a computer with authorization and to use such access...)
 
Line 1: Line 1:
 
The term ''exceeds authorized access'' is defined by the [[Computer Fraud and Abuse Act]] ([[CFAA]]) to mean "to [[access]] a [[computer]] with [[authorization]] and to use such [[access]] to obtain or alter [[information]] in the [[computer]] that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6).
 
The term ''exceeds authorized access'' is defined by the [[Computer Fraud and Abuse Act]] ([[CFAA]]) to mean "to [[access]] a [[computer]] with [[authorization]] and to use such [[access]] to obtain or alter [[information]] in the [[computer]] that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6).
  +
 
The [[legislative history]] of the [[CFAA]] reflects an expectation by [[Congress]] that persons who exceed authorized access are likely to be insiders, whereas persons who act [[without authorization]] are likely to be outsiders. According to this view, [[user]]s who exceed authorized access have at least some [[authority]] to [[access]] the [[computer system]]. As a result, [[Congress]] restricted the circumstances under which an insider — a [[user]] with [[authorized access]] — could be held [[liable]] for violating Section 1030. Such [[user]]s are therefore subject to [[criminal]] [[liability]] under more narrow circumstances.
 
The [[legislative history]] of the [[CFAA]] reflects an expectation by [[Congress]] that persons who exceed authorized access are likely to be insiders, whereas persons who act [[without authorization]] are likely to be outsiders. According to this view, [[user]]s who exceed authorized access have at least some [[authority]] to [[access]] the [[computer system]]. As a result, [[Congress]] restricted the circumstances under which an insider — a [[user]] with [[authorized access]] — could be held [[liable]] for violating Section 1030. Such [[user]]s are therefore subject to [[criminal]] [[liability]] under more narrow circumstances.
  +
 
The [[offense]]s that can be charged based on exceeding authorized access are limited to those set forth in subsections (a)(1), (a)(2), and (a)(4). Further, "[i]nsiders, who are [[authorized]] to [[access]] a [[computer]], face criminal liability only if they intend to cause [[damage]] to the [[computer]], not for [[reckless]]ly or [[negligent]]ly causing damage."<ref>''See'' [[S. Rep. No. 99-432]], at 10 (1986), ''reprinted in'' 1986 U.S.C.C.A.N. 2479; ''see also'' [[S. Rep. No. 104-357]], at 11 (1996), ''available at'' 1996 WL 492169.</ref>
 
The [[offense]]s that can be charged based on exceeding authorized access are limited to those set forth in subsections (a)(1), (a)(2), and (a)(4). Further, "[i]nsiders, who are [[authorized]] to [[access]] a [[computer]], face criminal liability only if they intend to cause [[damage]] to the [[computer]], not for [[reckless]]ly or [[negligent]]ly causing damage."<ref>''See'' [[S. Rep. No. 99-432]], at 10 (1986), ''reprinted in'' 1986 U.S.C.C.A.N. 2479; ''see also'' [[S. Rep. No. 104-357]], at 11 (1996), ''available at'' 1996 WL 492169.</ref>
 
The scope of any [[authorization]] hinges upon the facts of each case. Where the case involves exceeding authorized access, establishing the scope of [[authorized access]] may be difficult. The extent of [[authorization]] may turn upon the contents of an [[employment agreement]] or similar document, a [[terms of service]] notice, or a [[log-on]] [[banner]] outlining the permissible purposes for [[access]]ing a [[computer]] or [[computer network]]. <ref> ''See [[Southwest Airlines Co. v. Farechase, Inc.]],'' 318 F.Supp.2d 435 (N.D. Tex. 2004) ([[user agreement]]); ''[[EF Cultural Travel BV v. Zefer Corp.]],'' 318 F.3d 58 (1st Cir. 2003) (various [[site]] [[notice]]s); ''[[Register.com, Inc. v. Verio, Inc.]],'' 126 F. Supp. 2d 238, 253 (S.D.N.Y. 2000) ([[terms of use]] [[notice]]); ''[[America Online, Inc. v. LCGM, Inc.]],'' 46 F.Supp.2d 444, 450-51 (E.D. Va. 1998) ([[terms of service]] [[agreement]]); ''[[EF Cultural Travel BV v. Explorica, Inc.]],'' 274 F.3d 577 (1st Cir. 2001) ([[employee]] [[confidentiality agreement]]).</ref>
 
The scope of any [[authorization]] hinges upon the facts of each case. Where the case involves exceeding authorized access, establishing the scope of [[authorized access]] may be difficult. The extent of [[authorization]] may turn upon the contents of an [[employment agreement]] or similar document, a [[terms of service]] notice, or a [[log-on]] [[banner]] outlining the permissible purposes for [[access]]ing a [[computer]] or [[computer network]]. <ref> ''See [[Southwest Airlines Co. v. Farechase, Inc.]],'' 318 F.Supp.2d 435 (N.D. Tex. 2004) ([[user agreement]]); ''[[EF Cultural Travel BV v. Zefer Corp.]],'' 318 F.3d 58 (1st Cir. 2003) (various [[site]] [[notice]]s); ''[[Register.com, Inc. v. Verio, Inc.]],'' 126 F. Supp. 2d 238, 253 (S.D.N.Y. 2000) ([[terms of use]] [[notice]]); ''[[America Online, Inc. v. LCGM, Inc.]],'' 46 F.Supp.2d 444, 450-51 (E.D. Va. 1998) ([[terms of service]] [[agreement]]); ''[[EF Cultural Travel BV v. Explorica, Inc.]],'' 274 F.3d 577 (1st Cir. 2001) ([[employee]] [[confidentiality agreement]]).</ref>
  +
In one case, however, an insider (a person with some limited [[authorization]] to use a [[system]]) strayed so far beyond the bounds of his [[authorization]] that the court treated him as having acted [[without authorization]].<ref>''See [[United States v. Morris]],'' 928 F.2d 504 (2d Cir. 1991).</ref> Typically, however, persons who are [[employee]s or [[licensee]]s of the entity whose [[computer]] they used are held liable for exceeding authorized access as opposed to [[unauthorized access]].<ref>''See [[EF Cultural Travel]], 274 F.3d at 582-84 (holding that a former [[employee]] who violated a [[confidentiality agreement]] by providing [[information]] about [[access]]ing a [[protected computer]] [[system]] could be liable for exceeding authorized access).</ref>
+
In one case, however, an insider (a person with some limited [[authorization]] to use a [[system]]) strayed so far beyond the bounds of his [[authorization]] that the court treated him as having acted [[without authorization]].<ref>''See [[United States v. Morris]],'' 928 F.2d 504 (2d Cir. 1991).</ref> Typically, however, persons who are [[employee]s or [[licensee]]s of the entity whose [[computer]] they used are held liable for exceeding authorized access as opposed to [[unauthorized access]].<ref>''See [[EF Cultural Travel]], 274 F.3d at 582-84 (holding that a former [[employee]] who violated a [[confidentiality agreement]] by providing [[information]] about [[access]]ing a [[protected computer]] [[system]] could be liable for exceeding authorized access).</ref>
  +
 
In ''[[SecureInfo Corp. v. Telos Corp.]],'' 387 F.Supp.2d 593 (E.D. Va. 2005), the Court dismissed a claim that defendants, who gained [[access]] to a [[protected computer]] due to [[breach] of a [[software license]] by a [[licensee]], either exceeded authorized access or gained [[unauthorized access]]. The court believed that the [[licensee]] had given the defendants [[authority]] to [[use]] the [[computer system]], which undercut the plaintiff's [[unauthorized use]] claim.<ref>''Id.'' at 608-09.</ref> Moreover, since it was the [[licensee]] and not the defendants who agreed to the [[term]]s of the [[license]], the defendants were not bound to the [[use limitations]], and therefore, had not exceeded authorized access.<ref>''Id.'' at 609-10.</ref> The court noted, however, that had the [[licensee]] &mdash; as opposed to the persons who gained [[access]] to the [[system]] via the [[licensee]] &mdash; been sued for exceeding authorized use, they may have been found liable under theory set forth in ''[[EF Cultural Travel]].''<ref>''Id.'' at 609 (''citing [[EF Cultural Travel BV]]'', 274 F.3d at 582).</ref>
 
In ''[[SecureInfo Corp. v. Telos Corp.]],'' 387 F.Supp.2d 593 (E.D. Va. 2005), the Court dismissed a claim that defendants, who gained [[access]] to a [[protected computer]] due to [[breach] of a [[software license]] by a [[licensee]], either exceeded authorized access or gained [[unauthorized access]]. The court believed that the [[licensee]] had given the defendants [[authority]] to [[use]] the [[computer system]], which undercut the plaintiff's [[unauthorized use]] claim.<ref>''Id.'' at 608-09.</ref> Moreover, since it was the [[licensee]] and not the defendants who agreed to the [[term]]s of the [[license]], the defendants were not bound to the [[use limitations]], and therefore, had not exceeded authorized access.<ref>''Id.'' at 609-10.</ref> The court noted, however, that had the [[licensee]] &mdash; as opposed to the persons who gained [[access]] to the [[system]] via the [[licensee]] &mdash; been sued for exceeding authorized use, they may have been found liable under theory set forth in ''[[EF Cultural Travel]].''<ref>''Id.'' at 609 (''citing [[EF Cultural Travel BV]]'', 274 F.3d at 582).</ref>
  +
 
The ''[[SecureInfo]]'' decision could arguably be read to support the proposition that [[user]]s who are granted [[access]] to a [[system]] by an [[authorized user]] cannot be found liable under either an [[unauthorized use]] or an in excess of authorization theory. Presumably, however, had the third parties used their [[authorized access]] to obtain [[information]] unavailable to even [[license]]d [[user]]s, the court would have held them liable. However, the decision can also be read for the proposition that courts may be reluctant to predicate [[civil liability]], much less [[criminal liability]], under the [[CFAA]] solely upon a violation of a [[software license|software licensing agreement]].
 
The ''[[SecureInfo]]'' decision could arguably be read to support the proposition that [[user]]s who are granted [[access]] to a [[system]] by an [[authorized user]] cannot be found liable under either an [[unauthorized use]] or an in excess of authorization theory. Presumably, however, had the third parties used their [[authorized access]] to obtain [[information]] unavailable to even [[license]]d [[user]]s, the court would have held them liable. However, the decision can also be read for the proposition that courts may be reluctant to predicate [[civil liability]], much less [[criminal liability]], under the [[CFAA]] solely upon a violation of a [[software license|software licensing agreement]].
  +
  +
==References==
  +
  +
<references />
   
 
[[Category:CFAA]]
 
[[Category:CFAA]]

Revision as of 21:36, 9 October 2007

The term exceeds authorized access is defined by the Computer Fraud and Abuse Act (CFAA) to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6).

The legislative history of the CFAA reflects an expectation by Congress that persons who exceed authorized access are likely to be insiders, whereas persons who act without authorization are likely to be outsiders. According to this view, users who exceed authorized access have at least some authority to access the computer system. As a result, Congress restricted the circumstances under which an insider — a user with authorized access — could be held liable for violating Section 1030. Such users are therefore subject to criminal liability under more narrow circumstances.

The offenses that can be charged based on exceeding authorized access are limited to those set forth in subsections (a)(1), (a)(2), and (a)(4). Further, "[i]nsiders, who are authorized to access a computer, face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage."[1] The scope of any authorization hinges upon the facts of each case. Where the case involves exceeding authorized access, establishing the scope of authorized access may be difficult. The extent of authorization may turn upon the contents of an employment agreement or similar document, a terms of service notice, or a log-on banner outlining the permissible purposes for accessing a computer or computer network. [2]

In one case, however, an insider (a person with some limited authorization to use a system) strayed so far beyond the bounds of his authorization that the court treated him as having acted without authorization.[3] Typically, however, persons who are [[employee]s or licensees of the entity whose computer they used are held liable for exceeding authorized access as opposed to unauthorized access.[4]

In SecureInfo Corp. v. Telos Corp., 387 F.Supp.2d 593 (E.D. Va. 2005), the Court dismissed a claim that defendants, who gained access to a protected computer due to [[breach] of a software license by a licensee, either exceeded authorized access or gained unauthorized access. The court believed that the licensee had given the defendants authority to use the computer system, which undercut the plaintiff's unauthorized use claim.[5] Moreover, since it was the licensee and not the defendants who agreed to the terms of the license, the defendants were not bound to the use limitations, and therefore, had not exceeded authorized access.[6] The court noted, however, that had the licensee — as opposed to the persons who gained access to the system via the licensee — been sued for exceeding authorized use, they may have been found liable under theory set forth in EF Cultural Travel.[7]

The SecureInfo decision could arguably be read to support the proposition that users who are granted access to a system by an authorized user cannot be found liable under either an unauthorized use or an in excess of authorization theory. Presumably, however, had the third parties used their authorized access to obtain information unavailable to even licensed users, the court would have held them liable. However, the decision can also be read for the proposition that courts may be reluctant to predicate civil liability, much less criminal liability, under the CFAA solely upon a violation of a software licensing agreement.

References

  1. See S. Rep. No. 99-432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 2479; see also S. Rep. No. 104-357, at 11 (1996), available at 1996 WL 492169.
  2. See Southwest Airlines Co. v. Farechase, Inc., 318 F.Supp.2d 435 (N.D. Tex. 2004) (user agreement); EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003) (various site notices); Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 253 (S.D.N.Y. 2000) (terms of use notice); America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450-51 (E.D. Va. 1998) (terms of service agreement); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (employee confidentiality agreement).
  3. See United States v. Morris, 928 F.2d 504 (2d Cir. 1991).
  4. See EF Cultural Travel, 274 F.3d at 582-84 (holding that a former employee who violated a confidentiality agreement by providing information about accessing a protected computer system could be liable for exceeding authorized access).
  5. Id. at 608-09.
  6. Id. at 609-10.
  7. Id. at 609 (citing EF Cultural Travel BV, 274 F.3d at 582).