TechLaw

Imagine you're on a flight from Seattle to New York. Your eyes wander over to the laptop screen of the passenger sitting next to you. Imagine (you have quite an imagination) your brief glimpse of the screen reveals the details of one software company's not-yet-public offer to purchase a leading online property. Assume this information is very valuable. Have you, in that moment, violated the Computer Fraud and Abuse Act?

Possibly. There are quite a few ways to violate the CFAA, but a garden variety violation requires proof that the defendant "accessed" a "protected computer" without authorization or in excess of authorized access and thereby obtained information (a criminal offense under 18 U.S.C. 1030(a)(2)(C)) or "anything of value" (a criminal offense under 18 U.S.C. 1030(a)(4) if done with intent to defraud) or caused damage and loss of at least $5,000 (a civil offense under 18 U.S.C. 1030(g)).

Thanks to the Internet, nearly every computer is a "protected computer." The hard part of the analysis is deciding whether you have "accessed" your flight companion's laptop and whether that access was unauthorized. The statute is no help here. Congress failed to define either "access" or "authorization" in the CFAA (though it did define "computer").

My dictionary defines the verb "access" as "to gain or have access to; esp., to retrieve data from, or add data to, a database [branch officials can access the central database]." With this definition in mind, it's certainly plausible to argue that your glance "accessed" that laptop.

Which brings us to the final inquiry: Was your access of the laptop unauthorized? Certainly the laptop owner did not want you to read that top-secret, super-valuable information he was so carelessly perusing. Is that enough to establish a lack of authorization? Is there a requirement that the laptop's owner first inform you that you do not have permission to read over his shoulder? Would it matter if you were a former employee at the laptop owner's company and thus you knew immediately that you did not have permission to read the information on the screen? Would it matter if you had signed a confidentiality agreement while working at the company?

There really are no solid answers to these questions. Congress' decision to add a civil remedy to the CFAA in 1994 and its later decision to drape CFAA liability over the entire Internet by extending the CFAA to any computer used in interstate commerce have combined to create a vast new expanse of computer fraud liability that laywers and courts are only now beginning to explore. And while there are several murky corners of the CFAA (such as what constitutes damage and/or loss), the area receiving the most attention right now is the idea of which kinds of computer accesses are "unauthorized" or "exceeds authorized access."

Several courts have given an expansive reading to these terms, commonly in cases in which access is initially authorized or conditionally authorized, but the information taken is later put to an unauthorized use. Here are a few leading cases supporting a broad reading of unauthorized access.

In America Online Inc. v. LCGM Inc., 46 F. Supp.2d 444 (E.D. Va. 1998), a court held that an AOL user who harvested e-mail addresses of other AOL users made an unauthorized access of AOL's computer network because such use violated the AOL terms of use, which he had assented to via a mouseclick.

In EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577 (1st Cir. 2003), the court held that the a datamining tool to collect publicly available pricing information was unauthorized because it violated a confidentiality agreement signed by the defendant, a former employee of the plaintiff.

In Register.com v. Verio, 126 F. Supp.2d 238 (S.D.N.Y. 2000), the court held that a competitor's use of repeated database queries, in violation of Web site terms of use, and after objection by Web site owner, was unauthorized under the CFAA.

In International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006), the court imported common law agency principles to conclude that an employee's otherwise-authorized use of the employer's computer network becomes unauthorized when the employee acts against the interests of the employer.

Citrin is a controversial decision, and some courts have rejected it. Nevertheless, Citrin gets you into court with a plausible (decisive in the Seventh Circuit) argument that your company was the victim of federal computer fraud when employees take valuable information on their way out the door.

These cases have generated a lot of interest from companies who incur business losses when employees depart to work for competitors. The tactical advantages of a CFAA cause of action against departing employees are discussed by technology law experts here and here. The availability of a federal forum, the ability to protect information that does not qualify for copyright or trade secret protection, and the availability of injunctive relief, are just three reasons for increasing interest in the CFAA's civil remedies.

Later this week, on May 23, ALI-ABA is conducting an online seminar on civil uses of the CFAA in these situations.

Finally, there is the case of Lori Drew, a Missouri woman who has been indicted for violating the CFAA's criminal provisions, arising from her alleged use of the MySpace.com Web site in violation of its terms of service. This prosecution holds out the possibility that a CFAA criminal prosecution for "unauthorized" accesses could include any violation of a Web site's terms of use. Hard to imagine.

Daniel J. Solove at Concurring Opinions and Orin Kerr at the Volokh Conspiracy have commentaries on the case here and here.