The IT Law Wiki
Don't have an account?
Register
Advertisement
Register
in: Computer crime, Legislation-U.S.-Criminal, Legislation-U.S.-Federal,
and 2 more

Without authorization

Revision as of 00:48, 1 June 2009 by Mdscott (talk | contribs)
Edit

Many of the criminal offenses contained within the Computer Fraud and Abuse Act (CFAA) require that an intruder either access a computer without authorization or exceed authorized access. The term without authorization is not defined in the Act and one court found its meaning "to be elusive."[1]

The legislative history of the CFAA reflects an expectation by Congress that persons who exceed authorized access are likely to be insiders, whereas persons who act without authorization are likely to be outsiders. Outsiders are intruders with no rights to use a protected computer system, and, they are subject to a wider range of criminal prohibitions that insiders who merely act in excess of their authorization. Those who act without authorization can be convicted under any of the access offenses contained in the CFAA (18 U.S.C. § 1030(a)(1)-(5)), and can be punished for any intentional, reckless, or other damage they cause by their trespass."[2]

"Authorized" is a fluid concept. Even when authorization exists, it can be withdrawn or it can lapse. In some instances, a court may invoke agency law to determine whether a defendant possessed or retained authorization to access a computer.[3]

In Shurgard v. Safeuard, employees were found to have acted "without authorization" when they accessed their employer's computers to appropriate trade secrets for the benefit of a competitor. The court applied principles of agency law, and concluded that the employees' authorized access to the employer's computers ended when they became agents of the competitor.[4]

Notably, Shurgard, Citrin, Vi Chip, and Lockheed all involved employees who were accused of abusing — e.g., selling, transferring, or destroying — data to which they had authorized access as part of their jobs. As a result, the plaintiffs were unable to establish that the defendants exceeded authorized access. Instead, in each of these cases the plaintiffs attempted to argue that access became unauthorized when the employee's purpose was not to benefit the employer. Essentially, each argued by reference to the Restatement (Second) of Agency that when the agent's duty of loyalty to his principal was breached, the relationship was terminated and subsequent access was unauthorized.[5] To prevail under this theory, a plaintiff must convince the court that the relationship was essentially terminated — i.e., the authorization to access the data was lost—even while the employee was still technically in its employ. The courts in Shurgard, Citrin, and Vi Chip agreed with this rationale, but the court in Lockheed did not.[6]

One court found that insiders acted without authorization when they violated clearly defined computer access policies.[7]

Cases

In United States v. Morris, 928 F.2d 504 (2d Cir. 1991), Morris was convicted under a previous version of section 1030(a)(5), which punished "intentionally access[ing] a Federal interest computer without authorization." 18 U.S.C. § 1030(a)(5)(A) (1988), despite the fact that Morris had limited authorization to use the system.

In United States v. Ivanov, 175 F. Supp. 2d 367 (D. Conn. 2001), a Russian intruder broke into an American company's customer databases and was found to have acted without authorization.

References

  1. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582 n.10 (1st Cir. 2001) (dicta); see also SecureInfo Corp. v. Telos Corp., 387 F.Supp.2d 593 (E.D. Va. 2005) (holding that defendants had authorization to use a computer system even though such access violated the terms of a license agreement binding the user who provided them with access to the system).
  2. See S. Rep. No. 99-432, at 10 (1986), reprinted in 1986 U.S.C.C.A.N. 2479; see also S. Rep. No. 104-357, at 11 (1996), available at 1996 WL 492169.
  3. See, e.g., Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124 (W.D. Wash. 2000) (finding that insiders with authorization to use a system can lose that authorization when they act as agents of an outside organization).
  4. Id. at 1124-25. See also International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (holding that an employee's access to data became unauthorized when breach of his duty of loyalty terminated his agency relationship); Vi Chip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D. Cal. 2006) (applying the holding of Citrin to an employee who deleted data after being informed that his employment was to be terminated). But see Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *5-7 (M.D. Fla. 2006) (criticizing Citrin).
  5. Shurgard, 119 F.Supp.2d at 1124-25; Citrin, 440 F.3d at 420-21; Vi Chip, 438 F.Supp.2d. at 1100; Lockheed, 2006 WL 2683058 at *4.
  6. Shurgard, 119 F.Supp.2d at 1124-25; Citrin, 440 F.3d at 420-21; Vi Chip, 438 F.Supp.2d. at 1100; Lockheed, 2006 WL 2683058, at *5- 7.
  7. See, e.g., America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 451 (E.D. Va. 1998) (holding that AOL members acted without authorization when they used AOL network to send unsolicited bulk emails in violation of AOL's member agreement). But see America Online, Inc. v. National Health Care Discount, Inc., 121 F.Supp.2d 1255 (N.D. Iowa 2000) (noting that no other published decision contains the same interpretation as America Online, Inc. v. LCGM, Inc. on the issue of unauthorized access).
Community content is available under CC-BY-SA unless otherwise noted.
Advertisement

Fan Feed