Skip to content

When a Good Interpretation is the Wrong One (CFAA Edition)

In this post, I want to revisit the CFAA and the Nosal case. I wrote about this case back in April 2011 (when the initial panel decision was issued), and again in December (when en banc review was granted). It’s hard to believe that it has been more than a year!

I discuss the case in detail in the other posts, but for the busy and uninitiated, here is the issue: what does it mean to “exceed authorized access” to a computer?  In Nosal, the wrongful act was essentially trade secret misappropriation where the “exceeded authorization” was violation of a clear “don’t use our information except for company benefit” type of policy. Otherwise, the employees had access to the database from which they obtained information as part of their daily work.

Back in April, I argued that the panel basically got the interpretation of the statute right, but that the interpretation was so broad as to be scary. Orin Kerr, who has written a lot about this, noted in the comments that such a broad interpretation would be void for vagueness because it would ensnare too much everyday, non-wrongful activity.  Though I’m not convinced that the law supports his view, it wouldn’t break my heart if that were the outcome. But that’s not the end of the story.

Last month, the Ninth Circuit finally issued the en banc opinion in the Nosal case. The court noted all the scary aspects of a broad interpretation, trotting out the parade of horribles showing innocuous conduct that would violate the broadest reading of the statute. As the court notes: “Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.” We all agree on that.

The solution for the court was to narrowly interpret what “exceeds authorized access” means: “we hold that  ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” (emphasis in original).

On the one hand, this is a normatively “good” interpretation. The court applies the rule of lenity to not outlaw all sorts of behavior that shouldn’t be outlawed and that was likely never intended to be outlawed. So, I’m not complaining about the final outcome.

On the other hand, I can’t get over the fact that the interpretation is just plain wrong as a matter of statutory interpretation. Here are some of the reasons why:

1. The term “exceeds authorized access” is defined in the statute:  “‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The statute on its face makes clear that exceeding access is not about violating an access restriction, but instead about using access to obtain information that one is not so entitled to obtain. To say that a use restriction cannot be part of the statute simply rewrites the definition.

2. They key section of the statute is not about use of information at all. Section 1030(a)(2) outlaws access to a computer, where such access leads to obtaining (including viewing) of information. So, of course exceeding authorized access should deal with an access restriction, but what is to stop everyone from rewriting their agreements conditionally: “Your access to this server is expressly conditioned on your intent at the time of access. If your intent is to use the information for nefarious purposes, then your access right is revoked.” The statutory interpretation can’t be so easily manipulated, but it appears to be.

3. Even if you accept the court’s reading as in line with the statute, it still leaves much uncertainty in practice. For example, the court points to Google’s former terms of service that disallowed minors from using Google: You may not use the Services and may not accept the Terms if . . . you are not of legal age to form a binding contract with Google . . . .” I agree that it makes little sense for all minors who use Google to be juvenile delinquents. But read the terms carefully – they are not about use of information; they are about permission to access the services. If you are a minor, you may not use our services (that is, access our server). I suppose this is a use restriction because the court used it as an example, but that’s not so clear to me.

4. The court states that Congress couldn’t have meant exceeds authorized access to be about trade secret misappropriation and really only about hacking. 1030(a)(1)(a) belies that reading. That section outlaws exceeding authorized access to obtain national secrets and causing them “to be communicated, delivered, or transmitted, or attempt[ing] to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it.” That sounds a lot like misappropriation to me, and I bet Congress had a situation like Nosal in mind.

5. In fact, trade secrets appear to be exactly what Congress had in mind. The section that would ensnare most unsuspecting web users, 1030(a)(2) (which bars “obtaining” information by exceeding authorized access), was added in the same public law as the Economic Espionage Act of 1996 – the federal trade secret statute. The senate reports for the EEA and the change to 1030 were issued on the same day. As S. Rep. 104-357 makes clear, the addition was to protect the privacy of information on civilian computers. Of course, this helps aid a narrower reading – if information is not private on the web, then perhaps we should not be so concerned about it.

6. On a related note, the court’s treatment of the legislative history is misleading. The definition of “exceeds authorized access” was changed in 1986. As the court notes in a footnote:

[T]he government claims that the legislative history supports itsinterpretation. It points to an earlier version of the statute, which defined“exceeds authorized access” as “having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend.”  But that language was removed and replaced by the current phrase and definition.

So far, so good. In fact, this change alone seems to support the court’s view, and I would have stopped there. But the the court goes on to state:

And Senators Mathias and Leahy—members of theSenate Judiciary Committee—explained that the purpose of replacing the original broader language was to “remove[] from the sweep of the statute one of the murkier grounds of liability, under which a[n] . . . employee’s access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances.”

This reading is just not accurate in content or spirit. I reproduce below sections of S. Rep. 99-472, the legislative history cited by the court:

[On replacing “knowing” access with “intentional” access] This is particularly true in those cases where an individual is authorized to sign onto and use a particular computer, but subsequently exceeds his authorized access by mistakenly entering another computer file or data that happens to be accessible from the same terminal. Because the user had ‘knowingly’ signed onto that terminal in the first place, the danger exists that he might incur liability for his mistaken access to another file. … The substitution of an ‘intentional’ standard is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another.

. . .
[Note: (a)(3) was about access to Federal computers by employees. Access to private computers was not added for another 10 years. At the time (a)(2) covered financial information.] The Committee wishes to be very precise about who may be prosecuted under the newsubsection (a)(3). The Committee was concerned that a Federal computer crime statute not be so broad as to create a risk that government employees and others who are authorized to use a Federal Government computer would face prosecution for acts of computer access and use that, while technically wrong, should not rise to the levelof criminal conduct. At the same time, the Committee was required to balance its concern for Federal employees and other authorized users against the legitimate need to protect Government computers against abuse by ‘outsiders.’ The Committee struck that balance in the following manner.
In the first place, the Committee has declined to criminalize acts in which the offending employee merely ‘exceeds authorized access’ to computers in his own department … It is not difficult to envision an employee or other individual who, while authorized to use a particular computer in one department, briefly exceeds his authorized access and peruses data belonging to the department that he is not supposed to look at. This is especially true where the department in question lacks a clear method of delineating which individuals are authorized to access certain of its data. The Committee believes that administrative sanctions are more appropriate than criminal punishment in such a case. The Committee wishes to avoid the danger that every time an employee exceeds his authorized access to his department’s computers—no matter how slightly—he could be prosecuted under this subsection. That danger will be prevented by not including ‘exceeds authorized access’ as part of this subsection’s offense. [emphasis added]
Section 2(c) substitutes the phrase ‘exceeds authorized access’ for the more cumbersome phrase in present 18 U.S.C. 1030(a)(1) and (a)(2), ‘or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend’. The Committee intends this change to simplify the language in 18 U.S.C. 1030(a)(1) and (2)… [note: not to change the meaning, though obviously it does]
[And finally, the quote in the Nosal case, which were “additional” comments in the report, not the report of the committee itself]: [1030(a)(3)] would eliminate coverage for authorized access that aims at ‘purposes to which such authorization does not extend.’  This removes from the sweep of the statute one of the murkier grounds of liability, under which a Federal employee’s access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances that might be held to exceed his authorization.
This collection of history implies four things (to me, at least):
a. The committee well understood that employees could have authorized access to a computer, but could easily, “technically,” and “slightly” exceed that authorization by accessing another file on the same computer – and that it was not all about hacking.
b. The committee understood that it was problematic to hold people liable for this.
c. As a result, the committee removed “exceeds authorized access” for federal employee liability, but left it in in (a)(1) (use of U.S. secrets) and (a)(2) (gaining access to finanical information). The legislative history quoted by the court merely affirms that the “murkiness” is solved by removing the phrase altogether, and not by narrowing the scope in other subsections.
The problem is that the worries the committee had about how “exceeds authorized access” might apply to federal employeees never went away, but Congress extended liability to everyone when it expanded (a)(2) in 1996. What Congress should have done in 1996 (or anytime since) was consider the problems facing federal employees when it imposed restrictions on everyone.
A second problem is that Congress likely did not envision widespread computer servers with open access to information, whereby the only “authorization” limitations would be contractual rather than technologically based.
This leads me, again, to my conclusion above. The courts reading of the statute, while “good,” is not quite right. But the panel’s original reading was not quite right either.
I return to the suggestions I made in prior posts, bolstered by the legislative history here: we should look to the terms of authorization of access to see whether they have been exceeded. This means that if you are an employee who intentionally accesses information for a purpose you know is not authorized, then you are exceeding authorization.
It also means that if the terms of service on a website say explicitly that you must be truthful about your age or as a condition of authorization to access the site, then you are exceeding authorization. And that’s not always an unreasonable access limitation.  If there were a kids only website that excluded adults, I might well want to criminalize access obtained by people lying about their age. That doesn’t mean all access terms are reasonable, but I’m not troubled by that from a statutory interpretation standpoint.
I’m sure one can attack this as vague – it won’t always be clear when a term is tied to authorization. But then again, if it is not a clear term of authorization, the state shouldn’t be able to prove that authorization was exceeded. It also means that if the authorization terms are buried or unread, then there may not be an intentional access that exceeds authorization.