No edit summary |
(Undo revision 64156 by 141.217.251.96 (talk)) |
||
| (9 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| + | == Definition == |
||
| ⚫ | |||
| ⚫ | '''Exceeds authorized access''' is defined in the [[Computer Fraud and Abuse Act]] ([[CFAA]]) to mean "to [[access]] a [[computer]] with [[authorization]] and to use such [[access]] to obtain or alter [[information]] in the [[computer]] that the accesser is not entitled so to obtain or alter."<ref>18 U.S.C. §1030(e)(6).</ref> |
||
| ⚫ | The |
||
| + | == Overview == |
||
| ⚫ | The |
||
| ⚫ | The scope of any [[authorization]] hinges upon the facts of each case. Where the case involves exceeding authorized access, establishing the scope of [[authorized access]] may be difficult. The extent of [[authorization]] may turn upon the contents of an [[employment agreement]] or similar document, a [[terms of service]] notice, or a [[log-on]] [[banner]] outlining the permissible purposes for [[access]]ing a [[computer]] or [[computer network]]. <ref> ''See [[Southwest Airlines Co. v. Farechase, Inc.]], |
||
| ⚫ | The legislative history of the [[CFAA]] reflects an expectation by [[Congress]] that persons who exceed authorized access are likely to be insiders, whereas persons who act [[without authorization]] are likely to be outsiders. According to this view, [[user]]s who exceed authorized access have at least some [[authority]] to [[access]] the [[computer system]]. As a result, [[Congress]] restricted the circumstances under which an insider — a [[user]] with [[authorized access]] — could be held liable for violating Section 1030. Such [[user]]s are therefore subject to [[criminal liability]] under more narrow circumstances. |
||
| ⚫ | In one case, however, an insider (a person with some limited [[authorization]] to use a [[system]]) strayed so far beyond the bounds of his [[authorization]] that the court treated him as having acted [[without authorization]].<ref>''See [[United States v. Morris]], |
||
| + | |||
| ⚫ | The offenses that can be charged based on exceeding authorized access are limited to those set forth in subsections (a)(1), (a)(2), and (a)(4). Further, "[i]nsiders, who are [[authorized]] to [[access]] a [[computer]], face criminal liability only if they intend to cause [[damage]] to the [[computer]], not for [[reckless]]ly or [[negligent]]ly causing damage."<ref>''See'' S. Rep. No. 99-432, at 10 (1986), ''reprinted in'' 1986 U.S.C.C.A.N. 2479; ''see also'' S. Rep. No. 104-357, at 11 (1996), ''available at'' 1996 WL 492169.</ref> |
||
| + | |||
| ⚫ | The scope of any [[authorization]] hinges upon the facts of each case. Where the case involves exceeding authorized access, establishing the scope of [[authorized access]] may be difficult. The extent of [[authorization]] may turn upon the contents of an [[employment agreement]] or similar document, a [[terms of service]] notice, or a [[log-on]] [[banner]] outlining the permissible purposes for [[access]]ing a [[computer]] or [[computer network]]. <ref> ''See'' [[Southwest Airlines v. Farechaser|Southwest Airlines Co. v. Farechase, Inc.]], 318 F.Supp.2d 435 (N.D. Tex. 2004)([http://scholar.google.com/scholar_case?case=9920151187319414662&q=318+F.Supp.2d+435&hl=en&as_sdt=2002 full-text]) ([[user agreement]]); [[EF Cultural Travel v. Zefer|EF Cultural Travel BV v. Zefer Corp.]], 318 F.3d 58 (1st Cir. 2003)([http://scholar.google.com/scholar_case?case=1587830690568515562&q=318+F.3d+58&hl=en&as_sdt=2002 full-text]) (various [[site]] [[notice]]s); [[Register.com v. Verio|Register.com, Inc. v. Verio, Inc.]], 126 F. Supp. 2d 238, 253 (S.D.N.Y. 2000) ([[terms of use]] [[notice]]); [[AOL v. LCGM|America Online, Inc. v. LCGM, Inc.]], 46 F.Supp.2d 444, 450-51 (E.D. Va. 1998)([http://scholar.google.com/scholar_case?case=3406319925307490703&q=46+F.Supp.2d+444&hl=en&as_sdt=2002 full-text]) ([[terms of service]] [[agreement]]); [[EF Cultural Travel v. Explorica|EF Cultural Travel BV v. Explorica, Inc.]], 274 F.3d 577 (1st Cir. 2001)([http://scholar.google.com/scholar_case?case=2683575157740054983&q=274+F.3d+577&hl=en&as_sdt=2002 full-text]) ([[employee confidentiality agreement]]).</ref> |
||
| + | |||
| ⚫ | In one case, however, an insider (a person with some limited [[authorization]] to [[use]] a [[system]]) strayed so far beyond the bounds of his [[authorization]] that the court treated him as having acted [[without authorization]].<ref>''See'' [[U.S. v. Morris|United States v. Morris]], 928 F.2d 504 (2d Cir. 1991)([http://scholar.google.com/scholar_case?case=551386241451639668&q=928+F.2d+504&hl=en&as_sdt=2002 full-text]). Gauging whether an individual has exceeded authorized access based upon whether the defendant used the technological features of the [[computer system]] as "reasonably expected" was criticized by one court as too vague an approach. [[EF Cultural Travel v. Zefer]], 318 F.3d at 63 (in a civil case under §1030(a)(4), involving whether use of a [[web scraper]] exceeded authorized access, the court rejected inferring "reasonable expectations" test in favor of express language on the part of the plaintiff).</ref> Typically, however, persons who are [[employee]]s or [[licensee]]s of the entity whose [[computer]] they used are held liable for exceeding authorized access as opposed to [[unauthorized access]].<ref>''See [[EF Cultural Travel v. Explorica]],'' 274 F.3d at 582-84 (holding that a former [[employee]] who violated a [[confidentiality agreement]] by providing [[information]] about [[access]]ing a [[protected computer]] [[system]] could be liable for exceeding authorized access).</ref> |
||
| − | In ''[[SecureInfo Corp. v. Telos Corp.]],'' |
+ | In ''[[SecureInfo v. Telos|SecureInfo Corp. v. Telos Corp.]],''<ref>387 F.Supp.2d 593 (E.D. Va. 2005)([http://scholar.google.com/scholar_case?case=15862711997311359221&q=387+F.Supp.2d+593&hl=en&as_sdt=2002 full-text]).</ref> the court dismissed a claim that defendants, who gained [[access]] to a [[protected computer]] due to [[breach]] of a [[software license]] by a [[licensee]], either exceeded authorized access or gained [[unauthorized access]]. The court believed that the [[licensee]] had given the defendants [[authority]] to [[use]] the [[computer system]], which undercut the plaintiff's [[unauthorized use]] claim.<ref>''Id.'' at 608-09.</ref> Moreover, since it was the [[licensee]] and not the defendants who agreed to the [[term]]s of the [[license]], the defendants were not bound to the [[use limitations]], and therefore, had not exceeded authorized access.<ref>''Id.'' at 609-10.</ref> The court noted, however, that had the [[licensee]] — as opposed to the persons who gained [[access]] to the [[system]] via the [[licensee]] — been sued for exceeding authorized use, they may have been found liable under theory set forth in ''[[EF Cultural Travel v. Zefer]].''<ref>''Id.'' at 609 (''citing [[EF Cultural Travel v. Explorica]]'', 274 F.3d at 582).</ref> |
| − | The ''[[SecureInfo]]'' decision could arguably be read to support the proposition that [[user]]s who are granted [[access]] to a [[system]] by an [[authorized user]] cannot be found liable under either an [[unauthorized use]] or an in excess of authorization theory. Presumably, however, had the third parties used their [[authorized access]] to obtain [[information]] unavailable to even [[license]]d [[user]]s, the court would have held them liable. However, the decision can also be read for the proposition that courts may be reluctant to predicate [[civil liability]], much less [[criminal liability]], under the [[CFAA]] solely upon a violation of a [[software license|software licensing agreement]]. |
+ | The ''[[SecureInfo v. Telos|SecureInfo]]'' decision could arguably be read to support the proposition that [[user]]s who are granted [[access]] to a [[system]] by an [[authorized user]] cannot be found liable under either an [[unauthorized use]] or an in excess of authorization theory. Presumably, however, had the third parties used their [[authorized access]] to obtain [[information]] unavailable to even [[license]]d [[user]]s, the court would have held them liable. However, the decision can also be read for the proposition that courts may be reluctant to predicate [[civil liability]], much less [[criminal liability]], under the [[CFAA]] solely upon a violation of a [[software license|software licensing agreement]]. |
==References== |
==References== |
||
<references /> |
<references /> |
||
| − | |||
[[Category:CFAA]] |
[[Category:CFAA]] |
||
[[Category:Legislation]] |
[[Category:Legislation]] |
||
| Line 20: | Line 24: | ||
[[Category:Legislation-U.S.-Criminal]] |
[[Category:Legislation-U.S.-Criminal]] |
||
[[Category:Computer crime]] |
[[Category:Computer crime]] |
||
| + | [[Category:Definition]] |
||
Latest revision as of 22:44, 4 March 2011
Definition[]
Exceeds authorized access is defined in the Computer Fraud and Abuse Act (CFAA) to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."[1]
Overview[]
The legislative history of the CFAA reflects an expectation by Congress that persons who exceed authorized access are likely to be insiders, whereas persons who act without authorization are likely to be outsiders. According to this view, users who exceed authorized access have at least some authority to access the computer system. As a result, Congress restricted the circumstances under which an insider — a user with authorized access — could be held liable for violating Section 1030. Such users are therefore subject to criminal liability under more narrow circumstances.
The offenses that can be charged based on exceeding authorized access are limited to those set forth in subsections (a)(1), (a)(2), and (a)(4). Further, "[i]nsiders, who are authorized to access a computer, face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage."[2]
The scope of any authorization hinges upon the facts of each case. Where the case involves exceeding authorized access, establishing the scope of authorized access may be difficult. The extent of authorization may turn upon the contents of an employment agreement or similar document, a terms of service notice, or a log-on banner outlining the permissible purposes for accessing a computer or computer network. [3]
In one case, however, an insider (a person with some limited authorization to use a system) strayed so far beyond the bounds of his authorization that the court treated him as having acted without authorization.[4] Typically, however, persons who are employees or licensees of the entity whose computer they used are held liable for exceeding authorized access as opposed to unauthorized access.[5]
In SecureInfo Corp. v. Telos Corp.,[6] the court dismissed a claim that defendants, who gained access to a protected computer due to breach of a software license by a licensee, either exceeded authorized access or gained unauthorized access. The court believed that the licensee had given the defendants authority to use the computer system, which undercut the plaintiff's unauthorized use claim.[7] Moreover, since it was the licensee and not the defendants who agreed to the terms of the license, the defendants were not bound to the use limitations, and therefore, had not exceeded authorized access.[8] The court noted, however, that had the licensee — as opposed to the persons who gained access to the system via the licensee — been sued for exceeding authorized use, they may have been found liable under theory set forth in EF Cultural Travel v. Zefer.[9]
The SecureInfo decision could arguably be read to support the proposition that users who are granted access to a system by an authorized user cannot be found liable under either an unauthorized use or an in excess of authorization theory. Presumably, however, had the third parties used their authorized access to obtain information unavailable to even licensed users, the court would have held them liable. However, the decision can also be read for the proposition that courts may be reluctant to predicate civil liability, much less criminal liability, under the CFAA solely upon a violation of a software licensing agreement.
References[]
- ↑ 18 U.S.C. §1030(e)(6).
- ↑ See S. Rep. No. 99-432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 2479; see also S. Rep. No. 104-357, at 11 (1996), available at 1996 WL 492169.
- ↑ See Southwest Airlines Co. v. Farechase, Inc., 318 F.Supp.2d 435 (N.D. Tex. 2004)(full-text) (user agreement); EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003)(full-text) (various site notices); Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 253 (S.D.N.Y. 2000) (terms of use notice); America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450-51 (E.D. Va. 1998)(full-text) (terms of service agreement); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001)(full-text) (employee confidentiality agreement).
- ↑ See United States v. Morris, 928 F.2d 504 (2d Cir. 1991)(full-text). Gauging whether an individual has exceeded authorized access based upon whether the defendant used the technological features of the computer system as "reasonably expected" was criticized by one court as too vague an approach. EF Cultural Travel v. Zefer, 318 F.3d at 63 (in a civil case under §1030(a)(4), involving whether use of a web scraper exceeded authorized access, the court rejected inferring "reasonable expectations" test in favor of express language on the part of the plaintiff).
- ↑ See EF Cultural Travel v. Explorica, 274 F.3d at 582-84 (holding that a former employee who violated a confidentiality agreement by providing information about accessing a protected computer system could be liable for exceeding authorized access).
- ↑ 387 F.Supp.2d 593 (E.D. Va. 2005)(full-text).
- ↑ Id. at 608-09.
- ↑ Id. at 609-10.
- ↑ Id. at 609 (citing EF Cultural Travel v. Explorica, 274 F.3d at 582).