Revisiting the Scary CFAA

Last April, I blogged about the Nosal case, which led to the scary result that just about any breach of contract on the internet can potentially be a criminal access to a protected computer. I discuss the case in extensive detail in that post, so I won’t repeat it here. The gist is that employees who had access to a server in their ordinary course of work were held to have exceeded their authorization when they accessed that same server with the intent of funneling information out to a competitive ex-employee. The scary extension is that anyone breaching a contract with a web provider might then be considered to be accessing the web server in excess of authorization, and therefore committing a crime.

I’m happy to report that Nosal is now being reheard in the Ninth Circuit. I’m hopeful that the court will do something to rein in the case.

I think most of my colleagues agree with me that the broad interpretation of the statute is a scary one. Where some depart, though, is on the interpretive question. As you’ll see in the comments to my last post, there is some disagreement about how to interpret the statute and whether it is void for vagueness. I want to address some of the continuing disagreement below.

I think there are three ways to look at Nosal:

1. The ruling was right, and the extension to all web users is fine (ouch);

2. The ruling was right as to the Nosal parties, but should not be extended to all web users; and

3. The ruling was not right as to the Nosal parties, and also wrong as to all web users.

I believe where I diverge from many of my cyberlaw colleagues is that I fall into group two. I hope to explain why, and perhaps suggest a way forward. Note that I’m not a con law guy, and I’m not a crim law guy, but I am a internet statute guy, so I call the statutory interpretation like I see it.

I want to focus on the notion of authorization. The statute at issue, the Computer Fraud and Abuse Act (or CFAA) ¬†outlaws obtaining information from networked computers if one “intentionally accesses a computer without authorization or exceeds authorized access.”

Orin Kerr, a leader in this area, wrote a great post yesterday that did two things. First, it rejected tort based tresspass rules like implied consent as too vague for a criminal statute. On this, I agree. Second, it defined “authorization” with respect to other criminal law treatment of consent. In short, the idea is if you consent to access in the first place, then doing bad things in violation of the promises made is does not mean lack of consent to access. On this, I agree as well.

But here’s the rub: the statute says “without authorization or exceeds authorized access.” And this second phrase has to mean something. The goal, for me at least, is that it covers the Nosal case but not the broad range of activity on the internet. Professor Kerr, I suspect, would say that the only way to do that is for it to be vague, and if so, then the statute must be vague.

I’m OK with the court going that way, but here’s my problem with the argument. The statute isn’t necessarily vague. Let’s say that the scary broad interpretation fron Nosal means that every breach of contract is now a criminal act on the web. That’s not vague. Breach a contract, then you’re liable; there’s no wondering whether you have committed a crime or not.

Of course, the contract might be vague, but that’s a factual issue that can be litigated. It is not unheard of to have a crime based on failure to live up to an agreement to do something. A dispute about what the agreement was is not the same as being vague. Does that mean I like it? No. Does that mean it’s crazy overbroad? Yes. Does that mean everyone’s at risk and someone should do something about this nutty statute? Absolutely.

Now, here is where some vagueness comes in – only some breaches lead to exceeded access, and some don’t. How are we to decide which is which? The argument Professor Kerr takes on is tying it to trespass, and I agree that doesn’t work.

So, I return to my suggestion from several months ago – we should look to the terms of authorization of access to see whether they have been exceeded. This means that if you are an employee who accesses information for a purpose you know is not authorized, then you are exceeding authorization. It also means that if the terms of service on a website say explicitly that you must be truthful about your age or you are not authorized to access the site, then you are unauthorized. And that’s not always an unreasonable access limitation. ¬†If there were a kids only website that excluded adults, I might well want to criminalize access obtained by people lying about their age. That doesn’t mean all access terms are reasonable, but I’m not troubled by that from a statutory interpretation standpoint.

I’m sure one can attack this as vague – it won’t always be clear when a term is tied to authorization. But then again, if it is not a clear term of authorization, the state shouldn’t be able to prove that authorization was exceeded. This does mean that snoops all over and people who don’t read web site terms (me included) are at risk for violating terms of access we never saw or agreed to. I don’t like that part of the law, and it should be changed. I’m fine with making it more limiting in ways that Professor Kerr and others have suggested.

But I don’t know that it is invalid as vague – there are lots of things that may be illegal that people don’t even know are on the books. Terms of service, at least, people have at least some chance of knowing and choose not to. That doesn’t mean it isn’t scary, because I don’t see behavior (including my own) changing anytime soon.