Last week the US District Court for the Northern District of California dismissed a case under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, thereby contributing to an ever-growing debate [PDF] about the meaning of the words “exceeding authorized access.”

Despite the fact that the CFAA defines “exceeding authorized access,” the federal courts of appeals disagree as to what actions those words proscribe. Some circuits focus on “authorized access,” looking to whether the individual under fire took disallowed measures to gain control over digital content. Other circuits focus on the portion of the CFAA’s definition that refers to “obtain[ing] or alter[ing] information in the computer that the accesser is not entitled so to obtain or alter.”

To clarify the dispute, imagine a file cabinet in a locked room. The first group of circuits focuses on who has a key. If you don’t have a key, then any access of the file cabinet violates the CFAA. If you have a key, then nothing you do with the files runs afoul of the CFAA — though that doesn’t rule out contract, trade secret, or other types of disputes.

The second group of circuits focuses on the files in the cabinet. Just like the first group, if you don’t have a key, any access of the files violates the CFAA. But unlike the first group, people who were granted access with a key can still run into trouble if they use the files in a way that is contrary to a preexisting employer-employee agreement.

Though neither side fully conforms with the statutory language (perhaps, because poor drafting makes such compliance impossible), the first group seems to have the better option.

First, by focusing on who has a key, the “access” regime is far more administrable. There would only be one critical piece of evidence in the case: the key.

Second, employees would have more notice under the “access” regime. Rather than having to refer to largely arcane, frequently updated use agreements, individuals need only heed “access denied” prompts in order to comply with the CFAA (note, though, the interesting case of a technical admission to a computer system mistakenly granted to a non-worthy accesser).

Lastly, the “access” regime reins in an otherwise scary scenario in which each and every employer defines the scope of the CFAA. That is to say, under the “obtains and alters” regime, each individual company’s employer-employee use agreement demarcates the boundaries of the CFAA. Certainly, it is advantageous to all to avoid a world in which companies may unilaterally expand or contract the scope of legislation (and especially so when it has implications for felony criminal liability, as do the definitions in the CFAA).

The circuits have made little progress toward resolving this split, and the results of a case truly vary depending on which regime a court applies. As of yet, the Supreme Court has granted no certiorari petition on the issue. But, given the ubiquitous nature of digital databases, which gave rise to the CFAA in the first place, it is doubtful that this issue will fade away in the absence of Supreme Court attention.

Jonathan Hoffmann


Comments are closed.