Bar News - July 19, 2013
Federal Practice and Bankruptcy: Exploring Opposing Views of the Computer Fraud and Abuse Act
District of NH Decision at Odds with First Circuit
The recent prosecutions of internet activists Aaron Swartz and Andrew Auernheimer – and Swartz’s suicide in January of this year – have focused public attention on the Computer Fraud and Abuse Act.
Enacted in the 1980s, the CFAA has evolved from a criminal statute intended to protect financial and national security information stored on “federal interest” computers to an expansive set of civil and criminal remedies that can be triggered by routine and (seemingly) innocuous computer or Internet use.
Outrage over Swartz’s suicide led last month to the drafting of legislation to narrow the scope of the CFFA (named “Aaron’s Law”). Clarification of some type is sorely needed, as there is a live and very fundamental dispute between the circuits as to how the CFAA should be interpreted and applied.
And there’s a local angle to this national dispute. In New Hampshire, there is a conflict between decisions in the District of New Hampshire and the First Circuit.
CFAA violations turn on a single issue.
In most cases, CFAA liability requires proof of only three elements: a) that a party “intentionally accesses a computer without authorization or exceeds authorized access;” and that, having gained such access, the party then b) “obtains information” from c) “any protected computer.” In practical terms, the second and third elements are satisfied by every use of a computer or smart device. This leaves the first element – the question of access – as the sole factor that determines whether civil and criminal exposure exists.
It is not a question the statute provides much help in answering. There is no statutory definition for “without authorization,” and the definition for “exceeds authorized access” is circular. Left to their own devices, the courts have adopted two general approaches to determining whether a defendant lacked or exceeded authorization in accessing a protected computer – a “broad” interpretation and a “narrow” one.
The “broad” view: violation turns on the use made of the information.
The “broad” application of the act deems access to be unauthorized if the use made of the information obtained has not been approved by the computer’s owner. The Seventh Circuit finds justification for this approach in the law of agency. Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006) (when employee quits, or otherwise takes actions that violate common law duties of loyalty, authorization to access employer’s computer ends).
The Fifth and Eleventh Circuits also adopt a broad interpretation, but they frame their analysis as a contractual (rather than an agency law) matter. If the terms of an employer’s contract or its computer use policies define what can or cannot be done with a computer system, then contrary uses or purposes are, by definition, unauthorized. See United States v. John, (5th Cir. 2010) and United States v. Rodriguez (11th Cir. 2010). As noted, under this view, an employee is liable for unauthorized (or excessive) access if she uses information in ways that her employer has not sanctioned, even if access to the information was otherwise permitted.
The “narrow” view: use is irrelevant; violation depends only on the right to access a computer.
The “narrow” view asks only whether the defendant had permission or authorization to access or view the information; the use the defendant makes of the information, even if it otherwise violates a common law or contractual duty, is irrelevant.
The narrow view is best exemplified by the Ninth Circuit’s recent en banc decision in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012). The court preferred a narrow application because “the government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.”
The court’s largest concern was with how extensively the CFAA would criminalize routine computer use if the broad view were adopted, both in and outside the workplace.
“Basing criminal liability on violations of private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved.” This narrow application of the act has also been adopted in the Fourth Circuit and the Southern District of New York, in WEC Carolina Energy Solutions, LLC v. Miller and JBCHoldings NY, LLC v. Pakter, respectively.
First Circuit applies a “broad” view, while the DNH prefers the “narrow.”
The First Circuit has adopted a “broad” interpretation of the act based on contract (not agency) law. In EF Cultural Travel BV v. Explorica, Inc., a former employee of the plaintiff travel agency used a “scraper” program to automatically collect a long list of the plaintiff’s pricing for various European tours from drop-down menus on its website. The question in the case was whether this method of gathering the information – all of which was freely available on the plaintiff’s website and could be collected, albeit laboriously, by hand – was “authorized” or not under the CFAA.
The Court based its decision on the terms of the defendant’s contractual arrangements with the plaintiff, which prohibited him from misusing confidential information. In a follow-up decision addressing the company that created the “scraper” program, the Court affirmed its view that employers – and website owners – can define the terms of access through contract, according to EF Cultural Travel BV v. Zefer Corp.
The District of Massachusetts has interpreted EF Consulting as a case adopting a broad view of the CFAA, as have district courts in other circuits. See e.g. Guest-Tek Interactive Entertainment, Inc. v. Pullen (D.Mass. 2009); JBCHoldings NY, 2013.
But the District of New Hampshire has adopted a contrary view of the EF Cultural casesEF Cultural cases. In Wentworth-Douglass Hospital v. Young & Novis P.A., the Court discounted the language in EF Cultural that suggested an “expansive view of the CFAA’s reach” as dictum, and “agree[d] that the better (and more reasonable) interpretation of the phrase ‘exceeds authorized access’ in the CFAA is a narrow one.”
The Court granted summary judgment in favor of the defendant employees “since violations of an employer’s computer use policy, as opposed to its computer access restrictions, are not actionable under the CFAA.” (emphasis in original). Although this seems like the better result – the narrow view is more consistent with the statute’s history and more defensible from a policy perspective – it cannot, in fairness, be squared with EF Cultural.
Hopefully, Congress will resolve the narrow/broad dichotomy through legislation. But unless and until it does, litigants in New Hampshire will face a great deal of uncertainty, unsure of whether the broad or narrow view will apply in any given case.
Jeff Spear is a director and shareholder at Orr & Reno, P.A., in Concord, where he focuses on complex commercial litigation and intellectual property disputes. He can be reached at firstname.lastname@example.org.