« Hearing on cameras in the courts | Main | Cry Baby Cry »

Tuesday, December 06, 2011

Revisiting the Scary CFAA

Last April, I blogged about the Nosal case, which led to the scary result that just about any breach of contract on the internet can potentially be a criminal access to a protected computer. I discuss the case in extensive detail in that post, so I won't repeat it here. The gist is that employees who had access to a server in their ordinary course of work were held to have exceeded their authorization when they accessed that same server with the intent of funneling information out to a competitive ex-employee. The scary extension is that anyone breaching a contract with a web provider might then be considered to be accessing the web server in excess of authorization, and therefore committing a crime.

I'm happy to report that Nosal is now being reheard in the Ninth Circuit. I'm hopeful that the court will do something to rein in the case.

I think most of my colleagues agree with me that the broad interpretation of the statute is a scary one. Where some depart, though, is on the interpretive question. As you'll see in the comments to my last post, there is some disagreement about how to interpret the statute and whether it is void for vagueness. I want to address some of the continuing disagreement after the jump.

I think there are three ways to look at Nosal:

    1. The ruling was right, and the extension to all web users is fine (ouch);

    2. The ruling was right as to the Nosal parties, but should not be extended to all web users; and

    3. The ruling was not right as to the Nosal parties, and also wrong as to all web users.

I believe where I diverge from many of my cyberlaw colleagues is that I fall into group two. I hope to explain why, and perhaps suggest a way forward. Note that I'm not a con law guy, and I'm not a crim law guy, but I am a internet statute guy, so I call the statutory interpretation like I see it.

I want to focus on the notion of authorization. The statute at issue, the Computer Fraud and Abuse Act (or CFAA)  outlaws obtaining information from networked computers if one "intentionally accesses a computer without authorization or exceeds authorized access."

Orin Kerr, a leader in this area, wrote a great post yesterday that did two things. First, it rejected tort based tresspass rules like implied consent as too vague for a criminal statute. On this, I agree. Second, it defined "authorization" with respect to other criminal law treatment of consent. In short, the idea is if you consent to access in the first place, then doing bad things in violation of the promises made is does not mean lack of consent to access. On this, I agree as well.

But here's the rub: the statute says "without authorization or exceeds authorized access." And this second phrase has to mean something. The goal, for me at least, is that it covers the Nosal case but not the broad range of activity on the internet. Professor Kerr, I suspect, would say that the only way to do that is for it to be vague, and if so, then the statute must be vague.

I'm OK with the court going that way, but here's my problem with the argument. The statute isn't necessarily vague. Let's say that the scary broad interpretation fron Nosal means that every breach of contract is now a criminal act on the web. That's not vague. Breach a contract, then you're liable; there's no wondering whether you have committed a crime or not. 

Of course, the contract might be vague, but that's a factual issue that can be litigated. It is not unheard of to have a crime based on failure to live up to an agreement to do something. A dispute about what the agreement was is not the same as being vague. Does that mean I like it? No. Does that mean it's crazy overbroad? Yes. Does that mean everyone's at risk and someone should do something about this nutty statute? Absolutely.

Now, here is where some vagueness comes in - only some breaches lead to exceeded access, and some don't. How are we to decide which is which? The argument Professor Kerr takes on is tying it to trespass, and I agree that doesn't work.

So, I return to my suggestion from several months ago - we should look to the terms of authorization of access to see whether they have been exceeded. This means that if you are an employee who accesses information for a purpose you know is not authorized, then you are exceeding authorization. It also means that if the terms of service on a website say explicitly that you must be truthful about your age or you are not authorized to access the site, then you are unauthorized. And that's not always an unreasonable access limitation.  If there were a kids only website that excluded adults, I might well want to criminalize access obtained by people lying about their age. That doesn't mean all access terms are reasonable, but I'm not troubled by that from a statutory interpretation standpoint.

I'm sure one can attack this as vague - it won't always be clear when a term is tied to authorization. But then again, if it is not a clear term of authorization, the state shouldn't be able to prove that authorization was exceeded. This does mean that snoops all over and people who don't read web site terms (me included) are at risk for violating terms of access we never saw or agreed to. I don't like that part of the law, and it should be changed. I'm fine with making it more limiting in ways that Professor Kerr and others have suggested.

But I don't know that it is invalid as vague - there are lots of things that may be illegal that people don't even know are on the books. Terms of service, at least, people have at least some chance of knowing and choose not to. That doesn't mean it isn't scary, because I don't see behavior (including my own) changing anytime soon.

Posted by Michael Risch on December 6, 2011 at 05:18 PM in Information and Technology, Web/Tech | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference Revisiting the Scary CFAA:


Question: City of Chicago v. Morales is a better case for the point I'm making. Justice Stevens talks about the problem with the criminal statute reaching "innocent conduct." Perhaps Stevens has in mind conduct that may be protected by the Due Process clause under Papachristou, but it's not clear.

Posted by: Orin Kerr | Dec 7, 2011 7:42:12 PM

I've been particularly worried about the CFAA and its interplay with the First Amendment, chilling otherwise protected speech of primary / secondary school and (public) university students, not to mention government employees.

Essentially, by rendering contracts relevant to or conclusive of criminality, the CFAA makes it all the more important to scrutinize the equity of certain contractual arrangements. If the CFAA stays as broad as it is, and / or stands up to constitutional muster in courts, courts need to be proactive in saying "this computer use policy is adhesionary" and so forth. At a hedge fund a computer use policy may be essential to the overall contractual relationship between parties, but at a public university the policy is hidden in a pile of documents and is only trotted out when the university is bowing to outside pressure (a la Napster) or is otherwise trying to stick it to a specific student (say, for unpopular views or protesting with the OWS folks).

So I'm not taking a stand on the CFAA, but just saying that the abuses can possibly be remedied with traditional equitable defenses.

Posted by: AndyK | Dec 7, 2011 4:14:09 PM

Orin, perhaps I'm wrong, but I read that case to say that, when a phrase in a statute is vague, the statute is void because it places too much discretion in the hands of government officials to enforce the law. That doesn't seem to be what's relevant to this case, where the statute itself is quite clear; it just criminalizes conduct that we think probably shouldn't be criminal. You seem to be reasoning backwards; the statute criminalizes stuff that we think is innocence and therefore the statute must be vague if it allows for that.

Posted by: question | Dec 7, 2011 11:52:15 AM


Kolender v. Lawson, 461 U.S. 352 (1983):

Posted by: Orin Kerr | Dec 6, 2011 10:36:46 PM

Orin write: "[T]he second goes to whether it gives the government so much power to arrest people for innocuous conduct that it encourages discriminatory enforcement."

Could you point me to some cases that discuss this version of "vagueness"? In this context, it seems to be question begging, since we're trying to determine what's innocuous and what's not in the first place.

Posted by: Question | Dec 6, 2011 9:27:44 PM

Michael writes: "As far as interpretation goes, while I'm a fan of looking at legislative intent, the statute is what it is, and I don't see Congress rushing to correct it."

It's worth noting that the Senate Judiciary Committee passed an amendment to the definition of "exceeds authorized access" specifically to correct this problem back in September, and the House Judiciary Committee had a hearing on this issue as well three weeks ago.

Posted by: Orin Kerr | Dec 6, 2011 8:46:48 PM

Thanks for the comment. If void for vagueness outlaws overbreadth, I'm all for it.

As far as interpretation goes, while I'm a fan of looking at legislative intent, the statute is what it is, and I don't see Congress rushing to correct it. They may have wanted to deal with insiders, but it obviously goes beyond that - the question we all grapple with is how far it does (and how far it should).

I would add that for my interpretation, the condition on which access is granted must be reasonably related to the purposes for limiting access (like age in a kids chat room, but not age on a website where age has nothing to do with limiting access). I think that type of interpretation might avoid overbreadth, but still apply to the types of limited access we might want to enforce even on the web.

Posted by: Michael Risch | Dec 6, 2011 8:27:32 PM

Thanks for the post, Michael. I think the difficulty is that the void for vagueness has two different prongs: Facial vagueness and overbreadth. The first goes to whether you can tell what is illegal; the second goes to whether it gives the government so much power to arrest people for innocuous conduct that it encourages discriminatory enforcement. An interpretation of the CFAA that deems violating any term of service on any computer an act in that "exceeds authorized access" would not implicate the first prong, facial vagueness, as you point out. But I think it would make the statute unconstitutionally overbroad under the second prong. That's why I think the vagueness doctrine requires a narrower interpretation of the statute.

As for the meaning of "exceeds authorized access" as a matter of statutory interpretation, I think the problem is that Congress never revealed a clear sense of what that was supposed to mean. The statutory definition they chose is entirely circular, so that's no help. The legislative history suggests that there was a vague sense that there were "insiders" who might be beyond the "without authorization" prohibition, so they came up with a second category, "exceeding authorized access." But I think it's really hard to know what they thought that meant. And the kinds of arguments about insiders vs. outsiders made at the time of the new provision leave the meaning unclear, as well -- take the case of Morris, who argued that he was an "insider" to federal interest computers *as a whole* because he had legitimate accounts to some federal interest computers, and therefore that he could not have accessed any computers "without authorization." To be sure, I agree that Congress intended exceeding authorized access to do *something* that access without authorization does. But it's just not clear, at least to me, what that is.

Posted by: Orin Kerr | Dec 6, 2011 8:15:43 PM

The comments to this entry are closed.