President Obama wants to go where the Supreme Court refused to tread. As part of his cybersecurity and privacy initiatives, which we discussed last week, the President would strengthen the federal anti-hacking provisions of the Computer Fraud and Abuse Act (CFAA), including an expansion of activity covered by the statutory phrase “exceeds authorized access.” In so doing, the President would resolve a circuit split between the First, Fifth, Eighth, Seventh, and Eleventh Circuits, on the one hand, and the Ninth and Fourth Circuits, on the other. His reason? “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families.”
The current Computer Fraud and Abuse Act imposes penalties against persons who “intentionally access[] a computer with authorization or exceed[] authorized access” in order to obtain certain protected information. Under the current law, the phase “exceeds authorized access” means using authorized access to a computer “to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” But, even with that definition, the circuits have been unable to agree on what it means to “exceed[] authorized access.”
On one side, the First, Fifth, Eighth, and Eleventh Circuits determined that this phrase encompasses violations of computer use restrictions, such as those in website terms of service agreements and employment agreements and policies. In each of these cases, the court found the defendant guilty of unauthorized access for using information obtained via authorized access for unauthorized purposes. The Seventh Circuit similarly posited that acting against an employer’s interests breaches an employee’s duty of loyalty to the company and terminates her authority to access the information.
In contrast, the Ninth Circuit held en banc that the phrase “exceeds authorized access” only applies to restrictions on accessing information rather than to restrictions on using information legitimately accessed. Thus, the court found that employees who downloaded confidential information from a company database that they were authorized to access, and who then disclosed the information to someone outside the company in violation of company policy, were not guilty of unauthorized access under the CFAA. The court reasoned that the purpose of the CFAA is to prevent hacking rather than the misappropriation of trade secrets. The Fourth Circuit followed the Ninth Circuit’s interpretation.
The White House proposal would undercut the Ninth Circuit’s reasoning by extending the statutory definition of “exceeds unauthorized access” to include using authorized access to a computer “for a purpose that the accesser knows is not authorized by the computer owner.” This proposal is not novel. The predecessor to the CFAA, the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, included a similar prohibition against using authorized access to a computer “for purposes to which such authorization does not extend.” Yet when Congress enacted the CFAA two years later in 1986, it specifically removed this purpose clause from the books and introduced the current “exceeds authorized access” phrase. If Congress reintroduces the purpose clause as proposed by the Obama Administration, we will likely see more federal litigation sorting out the circumstances in which employees and other users exceed their authorized access of computers.
Interestingly, while broadening the meaning of the term “exceeds authorized access,” the White House proposal would also narrow the situations in which “exceeding authorized access” would be illegal. According to the proposal, access exceeding authorization would only be illegal under the proposed amendment if: (1) the value of the information obtained by the unauthorized access were greater than $5,000; (2) the information were obtained from a government computer; or (3) the access were done in furtherance of another felony.
Furthermore, the proposed amendment would enhance penalties for most CFAA offenses. For example, under the current law, there are three levels of penalties for unauthorized access. The amendment would increase the severities for two of these levels and drop the third level. Significantly, the amendment would bump the basic offense from a misdemeanor to a felony. The justification for giving prosecutors such a sharp weapon against minor infractions is not clear.
It may be that the Obama administration has adequately balanced: (1) the broader meaning of “exceeds authorized access” and harsher penalties with (2) more limited circumstances in which the “exceeds authorized access” phrase applies. Or it may be that classifying all violations as felonies would create a very scary situation for people caught up within the vague boundaries of liability under the CFAA, such as a city librarian innocently but illegally using a work computer for personal reasons. Trade Secrets Watch looks forward to finding out what Congress does with the proposal.