USA"Computer Fraud and Abuse Act "

[هيثم الفقى]

1. [align=left]
   1. Table 2. Authorized Access and Section 1030
   1. § 1030 Offense
   Without
   Auth. Exceeds
   Auth. Not an
   element (a)(1). Obtaining National Security Information x x (a)(2). Compromising Confidentiality x x (a)(3). Trespassing in a Govt. Computer x (a)(4). Accessing to Defraud and Obtain Value x x (a)(5)(A)(i). Damaging Without Authorization x (a)(5)(A)(ii). Intentionally accessing and recklessly causing damage x (a)(5)(A)(iii). Intentionally accessing and causing damage x (a)(6). Trafficking in Passwords x (a)(7). Extortion Involving Threats to Damage a Computer x
   
   1. As Table 2 illustrates, the ability to charge certain conduct as a violation of the CFAA may turn upon whether or not a defendant can be shown to have acted without authorization, as opposed to having acted in excess of authorized access. The question of whether or not a given access was authorized has been the subject of frequent litigation in both criminal and civil cases under the CFAA. Cases interpreting the authorization elements of CFAA offenses have generally followed the insider/outsider distinction, although not without some deviation. Traditional insider/outsider cases include United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997), where an Internal Revenue Service employee was found to have exceeded his authorized access to IRS computer systems when he looked at taxpayer records for personal purposes, and United States v. Ivanov, 175 F. Supp. 2d 367 (D. Conn. 2001), where a Russian intruder broke into an American company's customer databases and was found to have acted without authorization.
   2. While the universe of individuals who lack any authorization to access a computer is relatively easy to define, determining whether individuals who possess some legitimate authorization to access a computer have exceeded that authorized access may be more difficult. The term "exceeds authorized access" is defined as follows:
      1. [T]o access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.
   3. 18 U.S.C. § 1030(e)(6).
   4. The scope of any authorization hinges upon the facts of each case. In the simplest of prosecutions, a defendant without authorization to access a computer may intentionally bypass a technological barrier (such as password protection or system privileges) that prevented him from obtaining information on a computer network. However, many cases will involve exceeding authorized access, and establishing the scope of authorized access will be more complicated. The extent of authorization may turn upon the contents of an employment agreement or similar document, a terms of service notice, or a log-on banner outlining the permissible purposes for accessing a computer or computer network. See Southwest Airlines Co. v. Farechase, Inc., 318 F.Supp.2d 435 (N.D. Tex. 2004) (user agreement); EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003) (various site notices); Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 253 (S.D.N.Y. 2000) (terms of use notice); America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450-51 (E.D. Va. 1998) (terms of service agreement); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (employee confidentiality agreement).
   5. In one case, however, an insider (a person with some limited authorization to use a system) strayed so far beyond the bounds of his authorization that the court treated him as having acted without authorization. United States v. Morris, 928 F.2d 504 (2d Cir. 1991). Morris was convicted under a previous version of section 1030(a)(5), which punished "intentionally access[ing] a Federal interest computer without authorization." 18 U.S.C. § 1030(a)(5)(A) (1988). Morris created an Internet program known as a "worm," which spread to computers across the country and caused damage. To enable the worm to spread, Morris exploited vulnerabilities in two processes he was in fact authorized to use: "sendmail" (an email program) and "fingerd" (a program used to find out certain information about the users of other computers on the network). Morris, 928 F.2d. at 509-10.
   6. On appeal, Morris argued that because he had authorization to engage in certain activities, such as sending electronic mail, on some university computers, he had merely exceeded authorized access, rather than having gained unauthorized access.
   7. The Second Circuit rejected Morris' argument on three grounds. First, it held that the fact that the defendant had authorization to use certain computers on a network did not insulate his behavior when he gained access to other computers that were beyond his authorization. "Congress did not intend an individual's authorized access to one federal interest computer to protect him from prosecution, no matter what other federal interest computers he accesses." Id. at 511. Rather, "Congress contemplated that individuals with access to some federal interest computers would be subject to liability under the computer fraud provisions for gaining unauthorized access to other federal interest computers." Id. at 510. Second, the court held that although Morris may have been authorized to use certain generally available functions—such as the email or user query services—on the systems victimized by the "worm," he misused that access in such a way to support a finding that his access was unauthorized. The court wrote that:
      1. Morris did not use either of those features in any way related to their intended function. He did not send or read mail nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.
   8. Id.[FN1] Finally, the court held that even assuming the defendant's initial insertion of the worm simply exceeded his authorized access, evidence demonstrated that the worm was designed to spread to other computers and gain access to those computers without authorization by guessing their passwords.
   9. "Authorized" is a fluid concept. Even when authorization exists, it can be withdrawn or it can lapse. In some instances, a court may invoke agency law to determine whether a defendant possessed or retained authorization to access a computer. See, e.g., Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124 (W.D. Wash. 2000) (finding that insiders with authorization to use a system can lose that authorization when they act as agents of an outside organization).
   10. In Shurgard, employees were found to have acted "without authorization" when they accessed their employer's computers to appropriate trade secrets for the benefit of a competitor. The court applied principles of agency law, and concluded that the employees' authorized access to the employer's computers ended when they became agents of the competitor. Id. at 1124-25. See International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (holding that an employee's access to data became unauthorized when breach of his duty of loyalty terminated his agency relationship). See also Vi Chip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D.Ca. 2006) (applying the holding of Citrin to an employee who deleted data after being informed that his employment was to be terminated). But see Lockheed Martin Corp. v. Speed, 2006 WL 2683058 at *5-7 (M.D. Fla. 2006) (criticizing Citrin).
   11. Notably, Shurgard, Citrin, Vi Chip, and Lockheed all involved employees who were accused of abusing—e.g., selling, transferring, or destroying—data to which they had authorized access as part of their jobs. As a result, the plaintiffs were unable to establish that the defendants exceeded authorized access. Instead, in each of these cases the plaintiffs attempted to argue that access became unauthorized when the employee's purpose was not to benefit the employer. Essentially, each argued by reference to the Restatement (Second) of Agency that when the agent's duty of loyalty to his principal was breached, the relationship was terminated and subsequent access was unauthorized. Shurgard, 119 F.Supp.2d at 1124-25; Citrin, 440 F.3d at 420-21; Vi Chip, 438 F.Supp.2d. at 1100; Lockheed, 2006 WL 2683058 at *4. To prevail under this theory, a plaintiff needs to convince the court that the relationship was essentially terminated—i.e., the authorization to access the data was lost—even while the employee was still technically in its employ. The courts in Shurgard, Citrin, and Vi Chip agreed with this rationale, but the court in Lockheed did not. Shurgard, 119 F.Supp.2d at 1124-25; Citrin, 440 F.3d at 420-21; Vi Chip, 438 F.Supp.2d. at 1100; Lockheed, 2006 WL 2683058 at *5- 7. Prosecutors faced with similar facts may want to consider charging an offense that does not contain an authorization requirement, such as section 1030(a)(5)(A)(i).
   12. One court found that insiders acted without authorization when they violated clearly defined computer access policies. See, e.g., America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 451 (E.D. Va. 1998) (holding that AOL members acted without authorization when they used AOL network to send unsolicited bulk emails in violation of AOL's member agreement). But see America Online, Inc. v. National Health Care Discount, Inc., 121 F.Supp.2d 1255 (N.D. Iowa 2000) (noting that no other published decision contains the same interpretation as America Online, Inc. v. LCGM, Inc. on the issue of unauthorized access).
   13. Typically, however, persons who are employees or licensees of the entity whose computer they used are held liable for exceeding authorized access as opposed to unauthorized access. See EF Cultural Travel, 274 F.3d at 582-84 (holding that a former employee who violated a confidentiality agreement by providing information about accessing a protected computer system could be liable for exceeding authorized access). In SecureInfo Corp. v. Telos Corp., 387 F.Supp.2d 593 (E.D. Va. 2005), the Court dismissed a claim that defendants, who gained access to a protected computer due to breach of a software license by a licensee, either exceeded authorized access or gained unauthorized access. The court believed that the licensee had given the defendants authority to use the computer system, which undercut the plaintiff's unauthorized use claim. Id. at 608-09. Moreover, since it was the licensee and not the defendants who agreed to the terms of the license, the defendants were not bound to the use limitations, and therefore, had not exceeded authorized access. Id. at 609-10. The court noted, however, that had the licensee—as opposed to the persons who gained access to the system via the licensee—been sued for exceeding authorized use, they may have been found liable under theory set forth in EF Cultural Travel. Id. at 609 (citing EF Cultural Travel BV, 274 F.3d at 582).
   14. The SecureInfo decision is troublesome in that it could arguably be read to support the proposition that users who are granted access to a system by an authorized user cannot be found liable under either an unauthorized use or an in excess of authorization theory. Presumably, however, had the third parties used their authorized access to obtain information unavailable to even licensed users, the court would have held them liable. The better reading of this decision is that courts may be reluctant to predicate civil liability, much less criminal liability, under the CFAA solely upon a violation of a software licensing agreement.
   15. In sum, "without authorization" generally refers to intrusions by outsiders, but some courts have also applied the term to intrusions by insiders who access computers other than the computer they are authorized to use, intrusions by insiders acting as agents for outsiders, and intrusions by insiders who violate clearly defined access policies. Section 1030 imposes greater liability on outsiders because their very presence on the computer or network constitutes trespass. Thus, certain subsections (18 U.S.C. §§ 1030(a)(3), (a)(5)(A)(ii), & (a)(5)(A)(iii)) criminalize actions based upon access without authorization, but do not impose the same liability if the access merely exceeds authorization. In any event, it is clear that courts treat the issue of authority to access as a question of fact under the specific circumstances of each case. Prosecutors should consider not only whether the access breached technical security measures (such as passwords), but also employer policies, banners, user agreements, contracts, licenses, or similar items.
2. 1. B. Obtaining National Security Information: 18 U.S.C. § 1030
   2. Summary
   1. Knowingly access computer without or in excess of authorization
   2. obtain national security information
   3. reason to believe the information could injure the U.S. or benefit a foreign nation
   4. willful communication, delivery, transmission (or attempts)
   5. OR
      willful retention of the information
3. 1. The infrequently-used section 1030(a)(1) punishes the act of obtaining national security information without or in excess of authorization and then willfully providing or attempting to provide the information to an unauthorized recipient, or willfully retaining the information.
   2. Any steps in investigating or indicting a case under section 1030(a)(1) require the prior approval of the National Security Division of the Department of Justice, through the Counterespionage Section. See USAM 9-90.020. Please contact them at (202) 514-1187.
   3. Title 18, United States Code, Section 1030(a)(1) provides:
   [/align]