No edit summary |
|||
| (11 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Overview == |
== Overview == |
||
| − | Many of the criminal offenses contained within the [[Computer Fraud and Abuse Act]] ([[CFAA]]) require that an intruder either [[access]] a [[computer]] "without authorization" or [[exceed authorized access]]. The term '''without authorization''' is not defined in the Act and one court found its meaning "to be elusive."<ref> |
+ | Many of the criminal offenses contained within the [[Computer Fraud and Abuse Act]] ([[CFAA]]) require that an intruder either [[access]] a [[computer]] "without authorization" or [[exceed authorized access]]. The term '''without authorization''' is not defined in the Act and one court found its meaning "to be elusive."<ref>[[EF Cultural Travel v. Explorica|EF Cultural Travel BV v. Explorica, Inc.]], 274 F.3d 577, 582 n.10 (1st Cir. 2001) ([http://scholar.google.com/scholar_case?case=2683575157740054983&q=274+F.3d+577&hl=en&as_sdt=2,5 full-text]) (dicta); ''see also'' [[SecureInfo v. Telos|SecureInfo Corp. v. Telos Corp.]], 387 F.Supp.2d 593 (E.D. Va. 2005) ([http://scholar.google.com/scholar_case?case=15862711997311359221&q=387+F.Supp.2d+593&hl=en&as_sdt=2,5 full-text]) (holding that defendants had [[authorization]] to use a [[computer system]] even though such [[access]] violated the terms of a [[license agreement]] binding the [[user]] who provided them with [[access]] to the [[system]]).</ref> |
== Legislative history == |
== Legislative history == |
||
| − | The [[legislative history]] of the [[CFAA]] reflects an expectation by [[Congress]] that |
+ | The [[legislative history]] of the [[CFAA]] reflects an expectation by [[Congress]] that persons who act without authorization are likely to be outsiders. Outsiders are intruders with no rights to use a [[protected computer]] system, and, they are subject to a wider range of criminal prohibitions than insiders who merely act in [[exceed authorized access|excess of their authorization]]. Those who act without authorization can be convicted under any of the [[access]] offenses contained in the [[CFAA]] (18 U.S.C. § 1030(a)(1)-(5)), and can be punished for any [[intentional]], [[reckless]], or other damage they cause by their [[trespass]]."<ref>''See'' [[S. Rep. No. 99-432]], at 10 (1986), ''reprinted in'' 1986 U.S.C.C.A.N. 2479; ''see also'' S. Rep. No. 104-357, at 11 (1996), ''available at'' 1996 WL 492169.</ref> |
== Court decisions == |
== Court decisions == |
||
| + | It is relatively easy to define the universe of individuals who lack any [[authorization]] to [[access]] a [[computer]]. When someone from this group of people [[access]]es the [[computer]], the access is necessarily “without authorization” for purposes of the [[CFAA]].<ref>''See, e.g.,'' [[U.S. v. Ivanov|United States v. Ivanov]], 175 F.Supp.2d 367 (D. Conn. 2001) ([http://scholar.google.com/scholar_case?case=16277666301537426593&q=175+F.Supp.2d+367&hl=en&as_sdt=2,5 full-text]) (Russian hacker accessed victim company’s computers without authorization).</ref> A more difficult question is whether a person with some [[authorization]] to [[access]] a [[computer]] can ever act “without authorization” with respect to that [[computer]]. The case law on this issue is muddy, but, as discussed below, there is growing consensus that such “insiders” cannot act “without authorization” unless and until their [[authorization]] to [[access]] the [[computer]] is [[rescind]]ed. |
||
| − | "Authorized" is a fluid concept. Even when [[authorization]] exists, it can be withdrawn or it can lapse. In some instances, a court may invoke [[agency]] law to determine whether a defendant possessed or retained [[authorization]] to [[access]] a [[computer]].<ref>''See, e.g., [[Shurgard v. Safeguard|Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc.]],'' 119 F.Supp.2d 1121, 1124 (W.D. Wash. 2000) (finding that insiders with authorization to use a system can lose that authorization when they act as agents of an outside organization).</ref> |
||
| + | Prosecutors rarely argue that a defendant [[access]]ed a [[computer]] “without authorization” when the defendant had some authority to [[access]] that [[computer]]. However, several civil cases have held that defendants lost their [[authorization]] to [[access]] [[computer]]s when they breached a [[duty of loyalty]] to the authorizing parties, even if the authorizing parties were unaware of the breach.<ref>''See, e.g.,'' [[International Airport Centers v. Citrin|International Airport Centers, LLC v. Citrin]], 440 F.3d 418, 420-21 (7th Cir. 2006) ([http://scholar.google.com/scholar_case?case=8785859989962532913&q=440+F.3d+418&hl=en&as_sdt=2,5 full-text]); [[Shurgard Storage Centers v. Safeguard Self Storage|Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc.]], 119 F.Supp.2d 1121, 1125 (W.D. Wash. 2000) ([http://scholar.google.com/scholar_case?case=11569319906143399089&q=119+F.Supp.2d+1121&hl=en&as_sdt=2,5 full-text]); [[Ervin & Smith Advertising v. Ervin|Ervin & Smith Advertising & Public Relations, Inc. v. Ervin]], 2009 WL 249998 (D. Neb. Feb. 3, 2009) ([http://scholar.google.com/scholar_case?case=16897204101192985633&q=Ervin+%26+Smith+Advertising+%26+Public+Relations,+Inc.+v.+Ervin&hl=en&as_sdt=2,5 full-text]).</ref> Some of these cases further suggest that such a breach can occur when the [[user]] decides to [[access]] the [[computer]] for a purpose that is contrary to the interests of the authorizing party.<ref>''See, e.g., Citrin,'' 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files); [[ViChip v. Lee|ViChip Corp. v. Lee]], 438 F.Supp.2d 1087, 1100 (N.D. Cal. 2006) ([http://scholar.google.com/scholar_case?case=1775964103310793573&q=438+F.Supp.2d+1087&hl=en&as_sdt=2,5 full-text]) (same); [[NCMIC Finance v. Artino|NCMIC Finance Corp. v. Artino]], 638 F.Supp.2d 1042, 1057 (S.D. Iowa 2009) ([http://scholar.google.com/scholar_case?case=7034649353222391847&q=638+F.Supp.2d+1042&hl=en&as_sdt=2,5 full-text]) (“[T]he determinative question is whether Artino breached his [[duty of loyalty]] to NCMIC when Artino obtained [[information]] from NCMIC’s computers”).</ref> |
||
| − | In ''[[Shurgard v. Safeguard]],'' [[employee]]s were found to have acted "without authorization" when they [[access]]ed their [[employer]]'s [[computer]]s to appropriate [[trade secret]]s for the benefit of a [[competitor]]. The court applied principles of [[agency]] law, and concluded that the [[employee]]s' [[authorized access]] to the [[employer]]'s [[computer]]s ended when they became [[agent]]s of the [[competitor]].<ref>''Id.'' at 1124-25. ''See also'' [[International Airport Centers, L.L.C. v. Citrin]], 440 F.3d 418, 420-21 (7th Cir. 2006) (holding that an employee's [[access]] to data became unauthorized when [[breach]] of his [[duty of loyalty]] terminated his [[agency relationship]]); [[Vi Chip Corp. v. Lee]], 438 F.Supp.2d 1087, 1100 (N.D. Cal. 2006) (applying the holding of ''Citrin'' to an [[employee]] who [[delete]]d [[data]] after being informed that his employment was to be terminated). ''But see'' [[Lockheed Martin Corp. v. Speed]], 2006 WL 2683058, at *5-7 (M.D. Fla. 2006) (criticizing ''Citrin'').</ref> |
||
| + | The ''Citrin/Shurgard'' line of cases has been criticized by courts adopting the view that, under the [[CFAA]], an [[authorized user]] of a [[computer]] cannot [[access]] the computer “without authorization” unless and until the [[authorization]] is revoked. Most significantly, the Ninth Circuit has rejected ''Citrin'' 's interpretation of “without authorization” and found that, under the plain language of the [[CFAA]], a [[user]]’s [[authorization]] to [[access]] a [[computer]] depends on the actions of the authorizing party and not on the [[user]]’s [[duty of loyalty]].<ref>''See'' [[LVRC Holdings v. Brekka|LVRC Holdings LLC v. Brekka]], 581 F.3d 1127, 1133-34 (9th Cir. 2009) ([http://scholar.google.com/scholar_case?case=3712527331075916393&q=581+F.3d+1127&hl=en&as_sdt=2,5 full-text]) (“It is the [[employer]]’s decision to allow or to terminate an [[employee]]’s [[authorization]] to [[access]] a [[computer]] that determines whether the [[employee]] is with or ‘without authorization’”).</ref> The court also suggested that ''Citrin'''s reading of the [[CFAA]] is inconsistent with the rule of [[lenity]], which requires courts to construe any [[ambiguity]] in a criminal [[statute]] against the government.<ref>''Id.'' at 1134-35.</ref> The court then held that |
||
| − | Notably, ''[[Shurgard v. Safeguard|Shurgard]], [[Citrin]], [[Vi Chip]], and [[Lockheed]]'' all involved [[employee]]s who were accused of abusing — ''e.g.,'' selling, transferring, or destroying — [[data]] to which they had [[authorized access]] as part of their jobs. As a result, the plaintiffs were unable to establish that the defendants [[exceeded authorized access]]. Instead, in each of these cases the plaintiffs attempted to argue that [[access]] became [[unauthorized]] when the [[employee]]'s purpose was not to benefit the [[employer]]. Essentially, each argued by reference to the [[Restatement (Second) of Agency]] that when the [[agent]]'s [[duty of loyalty]] to his [[principal]] was [[breach]]ed, the relationship was terminated and subsequent access was unauthorized.<ref>''[[Shurgard]]'', 119 F.Supp.2d at 1124-25; ''[[Citrin]]'', 440 F.3d at 420-21; ''[[Vi Chip]]'', 438 F.Supp.2d. at 1100; ''[[Lockheed]]'', 2006 WL 2683058 at *4.</ref> To prevail under this theory, a plaintiff must convince the court that the relationship was essentially terminated — ''i.e.,'' the [[authorization]] to [[access]] the [[data]] was lost—even while the [[employee]] was still technically in its employ. The courts in ''[[Shurgard]], [[Citrin]],'' and ''[[Vi Chip]]'' agreed with this rationale, but the court in ''[[Lockheed]]'' did not.<ref>''[[Shurgard]],'' 119 F.Supp.2d at 1124-25; ''[[Citrin]],'' 440 F.3d at 420-21; ''[[Vi Chip]],'' 438 F.Supp.2d. at 1100; ''[[Lockheed]],'' 2006 WL 2683058, at *5- 7.</ref> |
||
| + | {{Quote|a person uses a [[computer]] ‘without authorization’ . . . when the person has not received permission to use the [[computer]] for any purpose (such as when a [[hacker]] [[access]]es someone’s [[computer]] without any permission), or when the [[employer]] has [[rescind]]ed permission to [[access]] the [[computer]] and the defendant uses the [[computer]] anyway.<ref>''Id.'' at 1135.</ref>}} |
||
| − | One court found that insiders acted without authorization when they violated clearly defined [[computer access policies]].<ref>''See, e.g., [[America Online, Inc. v. LCGM, Inc.]],'' 46 F.Supp.2d 444, 451 (E.D. Va. 1998) (holding that AOL members acted without [[authorization]] when they used AOL [[network]] to send [[unsolicited bulk email]]s in violation of AOL's member agreement). ''But see [[America Online, Inc. v. National Health Care Discount, Inc.]],'' 121 F.Supp.2d 1255 (N.D. Iowa 2000) (noting that no other published decision contains the same interpretation as ''[[America Online, Inc. v. LCGM, Inc.]]'' on the issue of [[unauthorized access]]).</ref> |
||
| + | Several district courts have also recently moved away from the ''Citrin/Shurgard'' view that a [[user]] can lose [[authorization]] to [[access]] a [[computer]] by breaching a [[duty of loyalty]] to the authorizing party.<ref>''See, e.g.,'' [[Bell Aerospace Services v. U.S. Aero Services|Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc.]], 690 F.Supp.2d 1267 (M.D. Ala. 2010) ([http://scholar.google.com/scholar_case?case=8344716202578822627&q=690+F.Supp.2d+1267&hl=en&as_sdt=2,5 full-text]); U.S. Bioservices v. Lugo, 595 F.Supp.2d 1189 (D. Kan. 2009) ([http://scholar.google.com/scholar_case?case=3861577714298401398&q=595+F.Supp.2d+1189&hl=en&as_sdt=2,5 full-text]); [[Lasco Foods v. Hall & Shaw Sales|Lasco Foods, Inc. v. Hall & Shaw Sales, Marketing & Consulting, LLC]], 600 F.Supp.2d 1045 (E.D. Mo. 2009) ([http://scholar.google.com/scholar_case?case=15723200792420105698&q=600+F.Supp.2d+1045&hl=en&as_sdt=2,5 full-text]); [[Bro-Tech v. Thermax|Bro-Tech Corp. v. Thermax, Inc.]], 651 F.Supp.2d 378, 407-08 (E.D. Pa. 2009) ([http://scholar.google.com/scholar_case?case=5499149433932557701&q=651+F.Supp.2d+378&hl=en&as_sdt=2,5 full-text]); [[Shamrock Foods v. Gast|Shamrock Foods Co. v. Gast]], 535 F.Supp.2d 962, 964-967 (D. Ariz. 2008) ([http://scholar.google.com/scholar_case?case=700746977424905529&q=535+F.Supp.2d+962&hl=en&as_sdt=2,5 full-text]); [[Diamond Power International v. Davidson|Diamond Power Int’l, Inc. v. Davidson]], 540 F.Supp.2d 1322, 1342 (N.D. Ga. 2007) ([http://scholar.google.com/scholar_case?case=6687978139009786903&q=540+F.Supp.2d+1322&hl=en&as_sdt=2,5 full-text]); [[B&B Microscopes v. Armogida]], 532 F.Supp.2d 744, 758 (W.D. Pa. 2007) ([http://scholar.google.com/scholar_case?case=1372812875644292495&q=532+F.Supp.2d+744&hl=en&as_sdt=2,5 full-text]); [[Lockheed Martin v. Speed|Lockheed Martin Corp. v. Speed]], 2006 WL 2683058, at *4 (M.D. Fla. Aug. 1, 2006) ([http://scholar.google.com/scholar_case?case=17429674875541447088&q=Lockheed+Martin+Corp.+v.+Speed&hl=en&as_sdt=2,5 full-text]).</ref> These courts, like the Ninth Circuit, generally hold that an [[authorized]] [[computer user]] can never [[access]] the [[computer]] “without authorization” unless and until the [[authorization]] is [[rescind]]ed.<ref>''See, e.g., Shamrock Foods,'' 535 F.Supp.2d at 967 (“[a] violation for [[access]]ing ‘without authorization’ occurs only where initial [[access]] is not permitted.”).</ref> |
||
| ⚫ | In ''[[U.S. v. Morris|United States v. Morris]],'' 928 F.2d 504 (2d Cir. 1991)([http://scholar.google.com/scholar_case?case=551386241451639668&q=928+F.2d+504&hl=en&as_sdt=2002 full-text]), Morris was convicted under a previous version of section 1030(a)(5), which punished "[[intentionally]] [[access]][ing] a [[Federal interest computer]] without [[authorization]]." 18 U.S.C. §1030(a)(5)(A) (1988), despite the fact that Morris had limited [[authorization]] to use the system. |
||
| + | Based on this recent case law, courts appear increasingly likely to reject the idea that a defendant [[access]]ed a [[computer]] “without authorization” in insider cases — cases where the defendant had some current [[authorization]] to [[access]] the [[computer]]. |
||
| − | In ''[[United States v. Ivanov]],'' 175 F.Supp.2d 367 (D. Conn. 2001)([http://scholar.google.com/scholar_case?case=16277666301537426593&q=175+F.Supp.2d+367&hl=en&as_sdt=2002 full-text]), a Russian intruder broke into an American company's customer [[database]]s and was found to have acted without [[authorization]]. |
||
| + | |||
| ⚫ | In ''[[U.S. v. Morris|United States v. Morris]],'' 928 F.2d 504 (2d Cir. 1991)([http://scholar.google.com/scholar_case?case=551386241451639668&q=928+F.2d+504&hl=en&as_sdt=2002 full-text]), Morris was convicted under a previous version of section 1030(a)(5), which punished "[[intentionally]] [[access]][ing] a [[Federal interest computer]] without [[authorization]]." 18 U.S.C. §1030(a)(5)(A) (1988), despite the fact that Morris had limited [[authorization]] to use the system. |
||
==References== |
==References== |
||
<references /> |
<references /> |
||
| + | |||
| + | == Source == |
||
| + | |||
| + | * [[Prosecuting Computer Crimes]], at 6-8. |
||
[[Category:Computer crime]] |
[[Category:Computer crime]] |
||
[[Category:Legislation-U.S.-Criminal]] |
[[Category:Legislation-U.S.-Criminal]] |
||
Latest revision as of 06:16, 4 December 2011
Overview[]
Many of the criminal offenses contained within the Computer Fraud and Abuse Act (CFAA) require that an intruder either access a computer "without authorization" or exceed authorized access. The term without authorization is not defined in the Act and one court found its meaning "to be elusive."[1]
Legislative history[]
The legislative history of the CFAA reflects an expectation by Congress that persons who act without authorization are likely to be outsiders. Outsiders are intruders with no rights to use a protected computer system, and, they are subject to a wider range of criminal prohibitions than insiders who merely act in excess of their authorization. Those who act without authorization can be convicted under any of the access offenses contained in the CFAA (18 U.S.C. § 1030(a)(1)-(5)), and can be punished for any intentional, reckless, or other damage they cause by their trespass."[2]
Court decisions[]
It is relatively easy to define the universe of individuals who lack any authorization to access a computer. When someone from this group of people accesses the computer, the access is necessarily “without authorization” for purposes of the CFAA.[3] A more difficult question is whether a person with some authorization to access a computer can ever act “without authorization” with respect to that computer. The case law on this issue is muddy, but, as discussed below, there is growing consensus that such “insiders” cannot act “without authorization” unless and until their authorization to access the computer is rescinded.
Prosecutors rarely argue that a defendant accessed a computer “without authorization” when the defendant had some authority to access that computer. However, several civil cases have held that defendants lost their authorization to access computers when they breached a duty of loyalty to the authorizing parties, even if the authorizing parties were unaware of the breach.[4] Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party.[5]
The Citrin/Shurgard line of cases has been criticized by courts adopting the view that, under the CFAA, an authorized user of a computer cannot access the computer “without authorization” unless and until the authorization is revoked. Most significantly, the Ninth Circuit has rejected Citrin 's interpretation of “without authorization” and found that, under the plain language of the CFAA, a user’s authorization to access a computer depends on the actions of the authorizing party and not on the user’s duty of loyalty.[6] The court also suggested that Citrin's reading of the CFAA is inconsistent with the rule of lenity, which requires courts to construe any ambiguity in a criminal statute against the government.[7] The court then held that
| “ | a person uses a computer ‘without authorization’ . . . when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.[8] | ” |
Several district courts have also recently moved away from the Citrin/Shurgard view that a user can lose authorization to access a computer by breaching a duty of loyalty to the authorizing party.[9] These courts, like the Ninth Circuit, generally hold that an authorized computer user can never access the computer “without authorization” unless and until the authorization is rescinded.[10]
Based on this recent case law, courts appear increasingly likely to reject the idea that a defendant accessed a computer “without authorization” in insider cases — cases where the defendant had some current authorization to access the computer.
In United States v. Morris, 928 F.2d 504 (2d Cir. 1991)(full-text), Morris was convicted under a previous version of section 1030(a)(5), which punished "intentionally access[ing] a Federal interest computer without authorization." 18 U.S.C. §1030(a)(5)(A) (1988), despite the fact that Morris had limited authorization to use the system.
References[]
- ↑ EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582 n.10 (1st Cir. 2001) (full-text) (dicta); see also SecureInfo Corp. v. Telos Corp., 387 F.Supp.2d 593 (E.D. Va. 2005) (full-text) (holding that defendants had authorization to use a computer system even though such access violated the terms of a license agreement binding the user who provided them with access to the system).
- ↑ See S. Rep. No. 99-432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 2479; see also S. Rep. No. 104-357, at 11 (1996), available at 1996 WL 492169.
- ↑ See, e.g., United States v. Ivanov, 175 F.Supp.2d 367 (D. Conn. 2001) (full-text) (Russian hacker accessed victim company’s computers without authorization).
- ↑ See, e.g., International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (full-text); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1125 (W.D. Wash. 2000) (full-text); Ervin & Smith Advertising & Public Relations, Inc. v. Ervin, 2009 WL 249998 (D. Neb. Feb. 3, 2009) (full-text).
- ↑ See, e.g., Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files); ViChip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D. Cal. 2006) (full-text) (same); NCMIC Finance Corp. v. Artino, 638 F.Supp.2d 1042, 1057 (S.D. Iowa 2009) (full-text) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers”).
- ↑ See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133-34 (9th Cir. 2009) (full-text) (“It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization’”).
- ↑ Id. at 1134-35.
- ↑ Id. at 1135.
- ↑ See, e.g., Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc., 690 F.Supp.2d 1267 (M.D. Ala. 2010) (full-text); U.S. Bioservices v. Lugo, 595 F.Supp.2d 1189 (D. Kan. 2009) (full-text); Lasco Foods, Inc. v. Hall & Shaw Sales, Marketing & Consulting, LLC, 600 F.Supp.2d 1045 (E.D. Mo. 2009) (full-text); Bro-Tech Corp. v. Thermax, Inc., 651 F.Supp.2d 378, 407-08 (E.D. Pa. 2009) (full-text); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 964-967 (D. Ariz. 2008) (full-text); Diamond Power Int’l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1342 (N.D. Ga. 2007) (full-text); B&B Microscopes v. Armogida, 532 F.Supp.2d 744, 758 (W.D. Pa. 2007) (full-text); Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *4 (M.D. Fla. Aug. 1, 2006) (full-text).
- ↑ See, e.g., Shamrock Foods, 535 F.Supp.2d at 967 (“[a] violation for accessing ‘without authorization’ occurs only where initial access is not permitted.”).
Source[]
- Prosecuting Computer Crimes, at 6-8.