« Journal of Law, Religion, and State | Main | Entry Level Hiring Report: Last Call »

Thursday, May 03, 2012

When a Good Interpretation is the Wrong One (CFAA Edition)

Hi, and thanks again to Prawfs for having me back.  In my first post, I want to revisit the CFAA and the Nosal case. I wrote about this case back in April 2011 (when the initial panel decision was issued), and again in December (when en banc review was granted). It's hard to believe that it has been more than a year!

I discuss the case in detail in the other posts, but for the busy and uninitiated, here is the issue: what does it mean to "exceed authorized access" to a computer?  In Nosal, the wrongful act was essentially trade secret misappropriation where the "exceeded authorization" was violation of a clear "don't use our information except for company benefit" type of policy. Otherwise, the employees had access to the database from which they obtained information as part of their daily work.

Back in April, I argued that the panel basically got the interpretation of the statute right, but that the interpretation was so broad as to be scary. Orin Kerr, who has written a lot about this, noted in the comments that such a broad interpretation would be void for vagueness because it would ensnare too much everyday, non-wrongful activity.  Though I'm not convinced that the law supports his view, it wouldn't break my heart if that were the outcome. But that's not the end of the story.

Last month, the Ninth Circuit finally issued the en banc opinion in the Nosal case. The court noted all the scary aspects of a broad interpretation, trotting out the parade of horribles showing innocuous conduct that would violate the broadest reading of the statute. As the court notes: "Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement." We all agree on that.

The solution for the court was to narrowly interpret what "exceeds authorized access" means: "we hold that  'exceeds authorized access' in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use." (emphasis in original).

On the one hand, this is a normatively "good" interpretation. The court applies the rule of lenity to not outlaw all sorts of behavior that shouldn't be outlawed and that was likely never intended to be outlawed. So, I'm not complaining about the final outcome. 

On the other hand, I can't get over the fact that the interpretation is just plain wrong as a matter of statutory interpretation. Here are some of the reasons why:

1. The term "exceeds authorized access" is defined in the statute:  "'exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The statute on its face makes clear that exceeding access is not about violating an access restriction, but instead about using access to obtain information that one is not so entitled to obtain. To say that a use restriction cannot be part of the statute simply rewrites the definition.

2. They key section of the statute is not about use of information at all. Section 1030(a)(2) outlaws access to a computer, where such access leads to obtaining (including viewing) of information. So, of course exceeding authorized access should deal with an access restriction, but what is to stop everyone from rewriting their agreements conditionally: "Your access to this server is expressly conditioned on your intent at the time of access. If your intent is to use the information for nefarious purposes, then your access right is revoked." The statutory interpretation can't be so easily manipulated, but it appears to be. 

3. Even if you accept the court's reading as in line with the statute, it still leaves much uncertainty in practice. For example, the court points to Google's former terms of service that disallowed minors from using Google: You may not use the Services and may not accept the Terms if . . . you are not of legal age to form a binding contract with Google . . . .” I agree that it makes little sense for all minors who use Google to be juvenile delinquents. But read the terms carefully - they are not about use of information; they are about permission to access the services. If you are a minor, you may not use our services (that is, access our server). I suppose this is a use restriction because the court used it as an example, but that's not so clear to me.

4. The court states that Congress couldn't have meant exceeds authorized access to be about trade secret misappropriation and really only about hacking. 1030(a)(1)(a) belies that reading. That section outlaws exceeding authorized access to obtain national secrets and causing them "to be communicated, delivered, or transmitted, or attempt[ing] to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it." That sounds a lot like misappropriation to me, and I bet Congress had a situation like Nosal in mind. 

5. In fact, trade secrets appear to be exactly what Congress had in mind. The section that would ensnare most unsuspecting web users, 1030(a)(2) (which bars "obtaining" information by exceeding authorized access), was added in the same public law as the Economic Espionage Act of 1996 - the federal trade secret statute. The senate reports for the EEA and the change to 1030 were issued on the same day. As S. Rep. 104-357 makes clear, the addition was to protect the privacy of information on civilian computers. Of course, this helps aid a narrower reading - if information is not private on the web, then perhaps we should not be so concerned about it.

6. On a related note, the court's treatment of the legislative history is misleading. The definition of "exceeds authorized access" was changed in 1986. As the court notes in a footnote: 

[T]he government claims that the legislative history supports itsinterpretation. It points to an earlier version of the statute, which defined“exceeds authorized access” as “having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend.”  But that language was removed and replaced by the current phrase and definition.

So far, so good. In fact, this change alone seems to support the court's view, and I would have stopped there. But the the court goes on to state:

And Senators Mathias and Leahy—members of theSenate Judiciary Committee—explained that the purpose of replacing the original broader language was to “remove[] from the sweep of the statute one of the murkier grounds of liability, under which a[n] . . . employee’s access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances.”

This reading is just not accurate in content or spirit. I reproduce below sections of S. Rep. 99-472, the legislative history cited by the court:

 [On replacing "knowing" access with "intentional" access] This is particularly true in those cases where an individual is authorized to sign onto and use a particular computer, but subsequently exceeds his authorized access by mistakenly entering another computer file or data that happens to be accessible from the same terminal. Because the user had ‘knowingly’ signed onto that terminal in the first place, the danger exists that he might incur liability for his mistaken access to another file. ... The substitution of an ‘intentional’ standard is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another.

. . .
[Note: (a)(3) was about access to Federal computers by employees. Access to private computers was not added for another 10 years. At the time (a)(2) covered financial information.] The Committee wishes to be very precise about who may be prosecuted under the newsubsection (a)(3). The Committee was concerned that a Federal computer crime statute not be so broad as to create a risk that government employees and others who are authorized to use a Federal Government computer would face prosecution for acts of computer access and use that, while technically wrong, should not rise to the levelof criminal conduct. At the same time, the Committee was required to balance its concern for Federal employees and other authorized users against the legitimate need to protect Government computers against abuse by ‘outsiders.’ The Committee struck that balance in the following manner.
In the first place, the Committee has declined to criminalize acts in which the offending employee merely ‘exceeds authorized access' to computers in his own department ... It is not difficult to envision an employee or other individual who, while authorized to use a particular computer in one department, briefly exceeds his authorized access and peruses data belonging to the department that he is not supposed to look at. This is especially true where the department in question lacks a clear method of delineating which individuals are authorized to access certain of its data. The Committee believes that administrative sanctions are more appropriate than criminal punishment in such a case. The Committee wishes to avoid the danger that every time an employee exceeds his authorized access to his department's computers—no matter how slightly—he could be prosecuted under this subsection. That danger will be prevented by not including ‘exceeds authorized access' as part of this subsection's offense. [emphasis added]
Section 2(c) substitutes the phrase ‘exceeds authorized access' for the more cumbersome phrase in present 18 U.S.C. 1030(a)(1) and (a)(2), ‘or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend’. The Committee intends this change to simplify the language in 18 U.S.C. 1030(a)(1) and (2)... [note: not to change the meaning, though obviously it does]

[And finally, the quote in the Nosal case, which were "additional" comments in the report, not the report of the committee itself]: [1030(a)(3)] would eliminate coverage for authorized access that aims at ‘purposes to which such authorization does not extend.’  This removes from the sweep of the statute one of the murkier grounds of liability, under which a Federal employee's access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances that might be held to exceed his authorization.
This collection of history implies four things (to me, at least):
a. The committee well understood that employees could have authorized access to a computer, but could easily, "technically," and "slightly" exceed that authorization by accessing another file on the same computer - and that it was not all about hacking.
b. The committee understood that it was problematic to hold people liable for this.
c. As a result, the committee removed "exceeds authorized access" for federal employee liability, but left it in in (a)(1) (use of U.S. secrets) and (a)(2) (gaining access to finanical information). The legislative history quoted by the court merely affirms that the "murkiness" is solved by removing the phrase altogether, and not by narrowing the scope in other subsections.
The problem is that the worries the committee had about how "exceeds authorized access" might apply to federal employeees never went away, but Congress extended liability to everyone when it expanded (a)(2) in 1996. What Congress should have done in 1996 (or anytime since) was consider the problems facing federal employees when it imposed restrictions on everyone.
A second problem is that Congress likely did not envision widespread computer servers with open access to information, whereby the only "authorization" limitations would be contractual rather than technologically based.
This leads me, again, to my conclusion above. The courts reading of the statute, while "good," is not quite right. But the panel's original reading was not quite right either.
I return to the suggestions I made in prior posts, bolstered by the legislative history here: we should look to the terms of authorization of access to see whether they have been exceeded. This means that if you are an employee who intentionally accesses information for a purpose you know is not authorized, then you are exceeding authorization.
It also means that if the terms of service on a website say explicitly that you must be truthful about your age or as a condition of authorization to access the site, then you are exceeding authorization. And that’s not always an unreasonable access limitation.  If there were a kids only website that excluded adults, I might well want to criminalize access obtained by people lying about their age. That doesn’t mean all access terms are reasonable, but I’m not troubled by that from a statutory interpretation standpoint.
I’m sure one can attack this as vague – it won’t always be clear when a term is tied to authorization. But then again, if it is not a clear term of authorization, the state shouldn’t be able to prove that authorization was exceeded. It also means that if the authorization terms are buried or unread, then there may not be an intentional access that exceeds authorization.

Posted by Michael Risch on May 3, 2012 at 01:03 PM in Information and Technology | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference When a Good Interpretation is the Wrong One (CFAA Edition):


Orin - thanks for the thoughtful comments, though a) I can see a court reasonably going your way, and b) I'm still not convinced it's right.

Three points:
1. It is not that far a leap to say that "proper grounds" is something you are legally or contractually permitted to do. I would think that's how most people think of it. Other than arrogance and false entitlement, is there a common use of entitled that doesn't imply that? I suppose you could add morally entitled, but I can't imagine Congress condoned hacking based on moral entitlement. The statute was, after all, written by lawyers.

2. I understand how computers were different at the time - I lived through it. But the original definition of the statute made it very clear that Congress understood how computer access worked. The original statute said: "having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend." That is pretty broad, and is all about how you use the computer once you are in, as Bruce notes.

3. I don't think you can read the sentiment of the original language (which survived in some form) so narrowly as: "You got on a computer, now you can't hack into email." The legislative history made clear that Congress was thinking that accidentally viewing a file on the same server, in the same directory, might exceed an employee's authorized access. That has to mean that Congress understood that once you were "logged in" you might view information you weren't permitted to view, and because of that, they took that part out of the statute. Yes, modern terms of service were not on their mind, but I don't think it is that far of a stretch from: "Federal policy that says you can read file A but not file B once you are logged on to our server" to "Web site policy that says you can access service A but not service B once you have pointed a web browser at our server."

I think the limiting factor is really how much the terms of service are tied to the access, whether they are read, understood, and binding (intentionality), and also how broadly we should imply authorization. I think authorization should be very broadly implied for a publicly accessible website - cases like EF Cultural are ridiculously wrong. But the mistake here was Congress's. I would much rather a court strike the statute down on vagueness grounds, as that is about the only way Congress will fix it.

That said, Hillel is right - perhaps statutory interpretation rewriting it to something more reasonable under the rule of lenity is the way to go. I'm not a huge fan of that - it might work to the good in this case, but might open up a whole can of worms in other cases. Maybe that's the patent guy in my coming out again.

Posted by: Michael Risch | May 4, 2012 7:47:01 AM

Oops, sorry for that outlier sentence -- please ignore it.

Posted by: Orin Kerr | May 3, 2012 10:24:47 PM

Michael, I think you are assuming a distinction between access and use that is different from what the drafters were thinking about. My best sense is that in the 1980s, when the language was written, the idea of accessing a computer generally meant having any rights at all to use that computer. Once you were "in" the computer, anything else you did on that computer was not "access" because the computer was already accessed. So for example, if you hooked up a modem and logged into MIT's mainframe, you accessed that computer: If once inside you hacked into someone else's e-mail account on the MIT mainframe, that was using the computer in a way that you were not entitled to use it (because you had to break down the code-based restriction to do it). So the concept of use restrictions that we know in 2012 is different from the concept of using a computer that was common in the 1980s. If I'm right, the "exceeds authorized access" language was about breaking into things once you were already "in" the machine, not about breaching terms of use.

As for your dictionary definition, I'm not sure you're picking the right word to define. The statute refers to that which you are not "entitled" to do, so presumably the word to look up is what "entitled" means, not the word "entitlement." The word entitled is defined in relevant part as "to furnish with proper grounds for seeking or claiming something," which says nothing about legal rights or contractual rights: It just means creating proper grounds for doing something, without saying what makes those grounds proper. That's why I think the definition is circular: It doesn't specify what the proper grounds are that makes the user entitled and therefore the conduct authorized.

You look to the definition of the word "entitlement," but I would think the more directly seem to be assuming that entitlement is about legal rights in the sense of terms of use written by lawyers, but so

Posted by: Orin Kerr | May 3, 2012 10:21:50 PM

I don't think the definition of "exceeds authorized access" refers to use of information. It refers to use of access: "'exceeds authorized access' means to access a computer with authorization and to *use such access* to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." So obtaining or altering information in excess of authorized access is within the scope of the definition.

Of course, the computer owner can attempt to contractually condition access on the intended use, as you point out. But at that point we're quibbling about what "authorized access" means, not contradicting anything in the definition. I'd be curious about how garden-variety trespass works here -- say you violate the fine print on the back of a sporting event ticket, but haven't been asked to leave. Could you be sued for trespass?

Posted by: Bruce Boyden | May 3, 2012 4:59:20 PM

This case features in my current working draft, which follows my last article on statutory interpretation, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1677689, to be published in Ill. L. Rev.

The thrust of my analysis is that a persistent theme within statutory interpretation (and the law more generally) is, and should be to an even greater extent, the public's understanding of the law and its reliance consequent reliance interests. The Nosal case is a great example. I agree that the formal tools of statutory interpretation suggest that the Ninth Circuit's reading is a relatively poor one; but public practice, expectations, and reliance interests make it the better interpretation. The court ultimately hangs its hat on the rule of lenity, which is just a doctrinal expression of the public understanding/expectations/reliance theme (as is void for vagueness and a host of other doctrines).

I wish courts were more open about this, rather than trying to create statutory ambiguity by twisting words and using suspect doctrinal analysis. Kozinski comes as close as anyone in Nosal to being honest about what he's doing.

Posted by: Hillel Y. Levin | May 3, 2012 3:13:37 PM

I based it on two things. First, the definition has the word "use" in it to describe what is done with the access. I think that implies that use restrictions are relevant.

Second, entitlement generally means something that you have some legal right to. As the dictionary notes: "a right to benefits specified especially by law or contract."

Thus, entitlement may be about access to the computer, and entitlement might be about what you can do with that access based on underlying legal and contractual terms. I don't see how that is circular at all. I may not like it, but it's not as though I can't understand it.

Posted by: Michael Risch | May 3, 2012 1:48:24 PM

Michael writes: " To say that a use restriction cannot be part of the statute simply rewrites the definition."

I don't think that's right. The difficulty is that the definition of "exceeds authorized access" is circular: It says that you exceed authorized access if you do that which you are not "entitled" to do. But that just begs the question, what principle governs "entitle[ment]"? You seem to be assuming that written terms like use restrictions govern entitlement, but it's not entirely clear to me why you make that assumption.

Posted by: Orin Kerr | May 3, 2012 1:27:13 PM

The comments to this entry are closed.