Many of the criminal offenses contained within the Computer Fraud and Abuse Act (CFAA) require that an intruder either access a computer "without authorization" or exceed authorized access. The term without authorization is not defined in the Act and one court found its meaning "to be elusive."
The legislative history of the CFAA reflects an expectation by Congress that persons who act without authorization are likely to be outsiders. Outsiders are intruders with no rights to use a protected computer system, and, they are subject to a wider range of criminal prohibitions than insiders who merely act in excess of their authorization. Those who act without authorization can be convicted under any of the access offenses contained in the CFAA (18 U.S.C. § 1030(a)(1)-(5)), and can be punished for any intentional, reckless, or other damage they cause by their trespass."
It is relatively easy to define the universe of individuals who lack any authorization to access a computer. When someone from this group of people accesses the computer, the access is necessarily “without authorization” for purposes of the CFAA. A more difficult question is whether a person with some authorization to access a computer can ever act “without authorization” with respect to that computer. The case law on this issue is muddy, but, as discussed below, there is growing consensus that such “insiders” cannot act “without authorization” unless and until their authorization to access the computer is rescinded.
Prosecutors rarely argue that a defendant accessed a computer “without authorization” when the defendant had some authority to access that computer. However, several civil cases have held that defendants lost their authorization to access computers when they breached a duty of loyalty to the authorizing parties, even if the authorizing parties were unaware of the breach. Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party.
The Citrin/Shurgard line of cases has been criticized by courts adopting the view that, under the CFAA, an authorized user of a computer cannot access the computer “without authorization” unless and until the authorization is revoked. Most significantly, the Ninth Circuit has rejected Citrin 's interpretation of “without authorization” and found that, under the plain language of the CFAA, a user’s authorization to access a computer depends on the actions of the authorizing party and not on the user’s duty of loyalty. The court also suggested that Citrin's reading of the CFAA is inconsistent with the rule of lenity, which requires courts to construe any ambiguity in a criminal statute against the government. The court then held that
|“||a person uses a computer ‘without authorization’ . . . when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.||”|
Several district courts have also recently moved away from the Citrin/Shurgard view that a user can lose authorization to access a computer by breaching a duty of loyalty to the authorizing party. These courts, like the Ninth Circuit, generally hold that an authorized computer user can never access the computer “without authorization” unless and until the authorization is rescinded.
Based on this recent case law, courts appear increasingly likely to reject the idea that a defendant accessed a computer “without authorization” in insider cases — cases where the defendant had some current authorization to access the computer.
In United States v. Morris, 928 F.2d 504 (2d Cir. 1991)(full-text), Morris was convicted under a previous version of section 1030(a)(5), which punished "intentionally access[ing] a Federal interest computer without authorization." 18 U.S.C. §1030(a)(5)(A) (1988), despite the fact that Morris had limited authorization to use the system.
- EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582 n.10 (1st Cir. 2001) (full-text) (dicta); see also SecureInfo Corp. v. Telos Corp., 387 F.Supp.2d 593 (E.D. Va. 2005) (full-text) (holding that defendants had authorization to use a computer system even though such access violated the terms of a license agreement binding the user who provided them with access to the system).
- See S. Rep. No. 99-432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 2479; see also S. Rep. No. 104-357, at 11 (1996), available at 1996 WL 492169.
- See, e.g., United States v. Ivanov, 175 F.Supp.2d 367 (D. Conn. 2001) (full-text) (Russian hacker accessed victim company’s computers without authorization).
- See, e.g., International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (full-text); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1125 (W.D. Wash. 2000) (full-text); Ervin & Smith Advertising & Public Relations, Inc. v. Ervin, 2009 WL 249998 (D. Neb. Feb. 3, 2009) (full-text).
- See, e.g., Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files); ViChip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D. Cal. 2006) (full-text) (same); NCMIC Finance Corp. v. Artino, 638 F.Supp.2d 1042, 1057 (S.D. Iowa 2009) (full-text) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers”).
- See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133-34 (9th Cir. 2009) (full-text) (“It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization’”).
- Id. at 1134-35.
- Id. at 1135.
- See, e.g., Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc., 690 F.Supp.2d 1267 (M.D. Ala. 2010) (full-text); U.S. Bioservices v. Lugo, 595 F.Supp.2d 1189 (D. Kan. 2009) (full-text); Lasco Foods, Inc. v. Hall & Shaw Sales, Marketing & Consulting, LLC, 600 F.Supp.2d 1045 (E.D. Mo. 2009) (full-text); Bro-Tech Corp. v. Thermax, Inc., 651 F.Supp.2d 378, 407-08 (E.D. Pa. 2009) (full-text); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 964-967 (D. Ariz. 2008) (full-text); Diamond Power Int’l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1342 (N.D. Ga. 2007) (full-text); B&B Microscopes v. Armogida, 532 F.Supp.2d 744, 758 (W.D. Pa. 2007) (full-text); Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *4 (M.D. Fla. Aug. 1, 2006) (full-text).
- See, e.g., Shamrock Foods, 535 F.Supp.2d at 967 (“[a] violation for accessing ‘without authorization’ occurs only where initial access is not permitted.”).
- Prosecuting Computer Crimes, at 6-8.