Bryson Nitta - AMDG - October 8, 2013.

Law 897: The Law in Cyberspace

If a Lion Could Talk, We Could Not Understand Him: The Computer Fraud & Abuse Act

Assignment for October 8, 2013

NOTE:  Hyperlinks are provided in text in order to supplement reading. You are not required to read the content in the hyperlink unless directed to do so, but it might be useful and perhaps fun!

I.  The Statute

The Computer Fraud & Abuse Act ("CFAA"), 18 U.S.C. § 1030, is the dominant vehicle for prosecuting federal computer crimes. Though it targets a plethora of conduct, the most frequently charged offense is located at § 1030(a)(2). This portion of the CFAA criminalizes "unauthorized access" (or access in excess of authorization) of a computer system and obtaining information.

• Read the Department of Justice's "Prosecuting Computer Crimes," Chapter 1, Section C: "Accessing a Computer and Obtaining Information: 18 U.S.C. § 1030(a)(2)."  This section begins on page 16 of the document (page 22 of the PDF). Stop reading at page 17 of the document (page 23 of the PDF) at subsection 1.  HERE.
  • Note the three basic elements of the statute:
    • Intentionally accesses a computer,
    • Without authorization or in excess of authorization,
    • and obtains information.

• Consider what kind of real-life conduct you would suspect is encompassed by this statute.
  • What is "unauthorized access" or access in excess of authorization?
  • Consider the "obtains information" element. Does the statute specify what kind of information must be obtained? Does that mean any information, even inoccuous information, satisfies this element?

Please consider the following hypotheticals.

Hypo 1:  You get a job (hooray!). At your new employee orientation, you sign a piece of paper titled, "AUTHORIZED FIRM COMPUTER USE." The document states that, "You are authorized to use your firm-issued computer for work only."  A few months later, you are sitting at work, bored out of your mind. You log into your work computer and browse Facebook.

• Did you just violate § 1030(a)(2)?

Hypo 2:  A few weeks earlier, your friend had gone through a horrible break-up. He starts receiving nasty messages from his ex. In order to prevent even more heartbreak, he gives you his Facebook username and password and asks you to periodically access his profile to delete the ex's missives. One day, you do so.

• Did you just violate § 1030(a)(2)?

Hypo 3:  Imagine that instead of just going straight to the Facebook inbox and looking for mean messages, you click on a photo album your friend has on Facebook that is marked "Private," meaning only a user logged in to your friend's account can see the photos inside. The album is also entitled, "Very Private Photos I Don't Give Anyone Permission to Access." You access them. 

• Did you just violate § 1030(a)(2)?

II. What is "Access" Under the CFAA?

The CFAA has been used to prosecute a broad swath of conduct. One criticism of the CFAA is that it sweeps in conduct that most people wouldn't consider criminal. A group of Ninth Circuit cases (culminating in United States v. Nosal) addressed the issue.

• Read Orin Kerr's blog post about the CFAA.  HERE.
• Read the excerpted district court's opinion in United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009).  HERE.
• Read the following excerpts from United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).  HERE.
• Read the following blog post about a civil suit under the CFAA. HERE.
• Reconsider the three hypos listed above. If you were within the Ninth Circuit, would you be able to convince a court to dismiss an indictment against you?

Of course, not all the circuits agree with the Ninth.

• Read the following excerpts from United States v. John, 597 F.3d 263 (5th Cir. 2010).  HERE.
• Consider: does the "intended-use analysis" solve the problems the Ninth Circuit has with the CFAA? How should a court determine what is the "intended-use" of a computer system? Who decides what the "intended-use" of a computer system is? Would the judge in the Drew case have been satisfied with the "intended-use analysis?"

III.  Rewriting the CFAA.

Aside from the efforts of some federal judges, reformers have also proposed various adjustments to the CFAA. The movement really caught fire after the indictment and eventual suicide of Aaron Swartz.

• Read the bill proposed by Rep. Zoe Lofgren, Rep. Jim Sensenbrenner, and Sen. Ron Wyden. HERE.
• Consider: would a prosecution against Nosal be possible under this version of the law? Would a prosecution against Drew be possible? Would a prosecution against Aaron Swartz be possible?
• Skim Professor Orin Kerr's proposed reforms. Note in particular his definition of "access without authorization."  HERE.
• Consider: would a prosecution against Nosal be possible under this version of the law? Would a prosecution against Drew be possible? Would a prosecution against Aaron Swartz be possible?
• Read this criticism of Professor Kerr's reforms. HERE.

Finally, consider your own position on the CFAA. If you could change the CFAA, would you? How would you change it? Try and come up with a good definition of "unauthorized access" that will only capture bad behavior.