Are We All Computer Felons?

“Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime?”

' Chief Judge Alex Kozinski, U.S. Court of Appeals for the Ninth Circuit.

Judge Kozinski's question isn't merely hypothetical. It relates to the far-reaching ramifications of nebulous language in the little known CFAA, a federal anti-hacking statute dating back to 1984, long before commercial use of the Internet. Under the CFAA, if you access a computer “without authorization” or “exceed authorized access,” you could potentially find yourself facing federal criminal charges or involved in an expensive civil lawsuit.

But the average person, a non-hacker, has nothing to fear when engaging in every day innocuous computer use ' right? Not quite.

Virtually every website or online service, whether used for shopping, social media or gaming, includes Terms of Service (TOS), stating what you can or cannot do when using the site.

Likewise, many employers have specific written policies defining what an employee can do when using a work computer. Creative plaintiffs and zealous prosecutors are using these policies and TOS provisions to invoke the CFAA. In other words, exceeding authorized access could simply mean violating a TOS or your employer's computer use policies.

When is the last time you read and understood the fine print in a website's TOS or scoured your employer's computer use policy? Here's a brief excerpt from Facebook's TOS:

• You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
• You will not use Facebook if you are under 13.
• You will keep your contact information accurate and up-to-date.
• You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

www.facebook.com/legal/terms (as revised Nov. 15, 2013).

So maybe you lied about your age on Facebook, or perhaps shared your password with a friend. Maybe you created an entirely fictitious account just so you could see what your old high school pals from 20 years ago look like today. Perhaps you haven't updated your account in two years and the contact information is out of date. All of these common and seemingly innocuous activities violate Facebook's TOS and could potentially subject users to felony charges or a civil action under the CFAA.

In the business context, it would be a rare employee that did not send any personal e-mails from work. Some employees may even do online shopping or spend the bulk of a day researching travel information. What if you use your authorized access on your company's network to obtain information for personal reasons, such as setting up a competing business? All of these actions are typically violations of company policy and, under the Justice Department's interpretation of the CFAA, make ordinary workers felons.

The broad use of the CFAA for seemingly technical TOS violations is not an abstract concept. Consider the case of Lori Drew from 2006. Drew created a fake MySpace account to communicate with a former friend of her daughter. Continuing to pose as the phony person, Drew cyber-bullied her daughter's former friend who eventually committed suicide.

Missouri authorities, where Drew was from, did not find that any laws were violated. But since the MySpace servers were located in California, a creative U.S. Attorney there filed criminal charges against Drew based on the CFAA and Drew's violation of MySpace's TOS. The TOS provided that users must offer “truthful and accurate” information about themselves. In a ruling on the sufficiency of the charges, the Drew court concluded that an intentional breach of MySpace's TOS could potentially constitute accessing MySpace computers without authorization (or exceeding authorization) under the CFAA.

While Drew may not be a sympathetic “victim” of vague CFAA language, the use of mostly unread legalese in online provisions to bring criminal charges raises loud alarms in legal circles, since it puts virtually every computer user at risk. In fact, more recently, the CFAA became the focus of an international firestorm when it was used to target a well-known and admired Harvard researcher in what many deemed to be an overzealous prosecution and a prime example of potential abuse of the CFAA.

'Stealing Is Stealing'

“Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars.”

' U.S. Attorney Carmen M. Ortiz, in a 2011 press release.

At 14 years old, already a programming prodigy, Aaron Swartz helped develop the RSS Web feed, a program that automatically delivers updated content to users. He later co-founded the social media website, Reddit.

Swartz was admitted to Stanford University, but dropped out after a year to start a software company and because, as he blogged, “I didn't find it a very intellectual atmosphere, since most of the other kids seemed profoundly unconcerned with their studies.”

In 2010, at the age of 23, Swartz became a research fellow at Harvard University's Edmond J. Safra Center for Ethics, where his friend and mentor, Harvard Law Professor Lawrence Lessig, was the Director. By this time, Swartz was also a well-known figure in the open access movement ' an effort to provide free and unrestricted access, via the Internet, to scientific and scholarly research.

His Internet activism included taking action that poked authorities. In 2008, in an effort to make a point about access to public records, Swartz downloaded and released to a non-profit group millions of federal court documents stored in the U.S. Court system's PACER database. Although PACER normally charged a per page fee, some libraries at the time offered free access thus enabling Swartz to use a script to download massive amounts of court records without charge. While drawing the FBI's attention, no charges were filed since the documents were in fact public records.

But the next time he wouldn't be so lucky. In 2011, Swartz was arrested after he used MIT's computer network to download millions of academic papers stored by JSTOR, a digital service that provided access to scientific and other scholarly papers.

As a Harvard research fellow, Swartz had a JSTOR account and visiting privileges at MIT. Anyone with access to MIT's wide open network had access to JSTOR's database. Swartz took advantage of this open access to programmatically download millions of articles. When JSTOR noticed unusual activity, Swartz continued bulk downloading by entering an unlocked utility closet on MIT's campus to connect his laptop to the network. A camera in the closet caught him in the act.

According to computer experts, Swartz didn't hack into JSTOR's database or insert malware or use someone else's password. He simply exploited a loophole using existing access. In other words, Swartz got faster access to files he was already authorized to download. Or as one expert described it, this was not criminal hacking: “What Aaron did was inconsiderate.”

When Swartz turned over hard drives containing the documents, JSTOR declined to take action and asked the Massachusetts U.S. Attorney's Office to drop any charges. Ignoring JSTOR, Swartz was eventually charged with 13 felony counts. The bulk of the charges were based on alleged “unauthorized access” in violation of the CFAA.

Swartz was now facing up to 50 years in jail and $1 million in fines. The CFAA and the full weight and authority of the Federal Government loomed over him like the sword of Damocles.

'Without Authorization'

“Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. ' Under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.”

' Chief Judge Alex Kozinski, U.S. Court of Appeals for the Ninth Circuit.

Disagreement among the federal courts in interpreting the CFAA underscores concerns with its extraordinarily broad reach. Under the CFAA, “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” is subject to criminal penalties and civil liability. 18 U.S.C. '1030(a)(2)(C). Recent jurisprudence has focused on the meaning of the term “without authorization” in both the civil and criminal arenas. This has led to a split in the circuits, based on whether the term is to be construed either broadly or narrowly.

The broad view turns on not just whether someone has been technically granted access to a particular computer (or particular files), but rather someone's purpose in accessing the computer. That is, whether the user is acting against the interests of the computer's owner in downloading data. This has led some courts to consider employer's use restrictions (what you can do with data) as similar to access restrictions (what data can be accessed). So if you misuse information that you have a right to access, and thereby violate an employer's use policy, it is potentially a CFAA violation.

For example, in International Airport Centers, LLC v. Citrin, 440 F. 3d 418 (2006), the Seventh Circuit reversed the trial court's dismissal of an employer's CFAA claim against an employee who, before leaving work to start a competing business, copied confidential information from his work computer. The court held that the employee's authority to access information on his work computer was based on his duty of loyalty to his employer. Once that loyalty ended, his access to confidential information was without authorization.

To the contrary, the Ninth Circuit recently took the narrow view of “without authorization” under the CFAA. In United States v. Nosal, No. 10-10038 (9th Cir., April 10, 2012), an employee who had already left his employer convinced former colleagues still working there to send him confidential data to help him start a competing business. The colleagues had general access to the information. However, the employer had a policy that forbade disclosing confidential information. When the employer discovered the transfer of its data it called the authorities. Nosal was indicted under various charges, including aiding and abetting violations of the CFAA. Nosal moved to dismiss the CFAA counts, arguing that his accomplices were authorized to access the database, even though the information obtained may have been misused under corporate policy.

Critical of the broad view in other circuits and siding with Nosal, the Ninth Circuit held that “the government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”

Nosal was later convicted on other related charges, but the Ninth Circuit's decision has sharply focused the “broad” vs. “narrow” debate. It remains to be seen if the Supreme Court will resolve the split amongst the circuits. However, recent events may force Congress to act first.

Aaron's Law

“As federal prosecutors, our mission includes protecting the use of computers and the Internet by enforcing the law as fairly and responsibly as possible. We strive to do our best to fulfill this mission every day.”

' U.S. Attorney Carmen M. Ortiz.

Aaron Swartz was found hanging from a belt in his Brooklyn apartment on Jan. 11, 2013, two months before his trial was to start. His suicide has sparked protests over the scope of the CFAA, anger at his prosecutors and a Congressional investigation. At his funeral, his father told mourners that he was “killed by the government.”

Outrage over Swartz's death led to new legislation proposed by Rep. Zoe Lofgren (D-CA) entitled “Aaron's Law.”(H.R. 2454). The bill would modify the CFAA to clarify that the definition of “unauthorized access” does not include access that violates acceptable use policies or terms of service agreements, whether with a website, ISP or employer.

In the meantime, Darrell Issa (R-CA), Chairman of the House Committee on Oversight and Government Reform, opened an inquiry into how the office of U.S. Attorney Carmen Ortiz handled the case. A groundswell of public anger over perceived prosecutorial bullying in overcharging under the CFAA led to a grassroots petition seeking the removal of Ortiz.

A year later, in January 2014, a documentary film about Swartz premiered at the Sundance Film Festival. The film explores his arrest and the prosecution's tactics in using the CFAA.

Whether Swartz's death will result in CFAA reforms is unclear. Some believe the proposed changes even under Aaron's Law do not go far enough to reign in the CFAA. As George Washington University Law Professor Orin Kerr writes, the CFAA, as it now reads, “potentially regulates every use of every computer in the United States and even many millions of computers abroad.”

Conclusion

However, until such reforms are implemented, whether by Congress or the courts, individuals and businesses should be mindful of the far-reaching tentacles of the CFAA, and potential civil liability or criminal charges. Employees leaving a job and employers hiring new employees from competitors need to be particularly wary, lest they be accused of participating in a CFAA violation. As Chief Judge Kozinski points out in Nosal , although the government assures us it won't pursue minor violations under the CFAA, “we shouldn't have to live at the mercy of our local prosecutor.”

Eric A. Packel is a counsel with the Philadelphia office of BakerHostetler. He focuses his practice on privacy, data security and technology issues. Packel has significant experience counseling corporations, healthcare providers and other entities on compliance with data breach notification laws, as well as assisting with data incidents. He can be reached at [email protected].

Virtually every day we read about another cyber attack or malicious hacking incident. Hackers seek corporate secrets for competitive advantage, personal information, financial fraud, or sometimes they simply perform “hactivist” political stunts. A recent report by Mandiant, a computer security firm, even detailed sophisticated cyber attacks by a Chinese Army Unit against U.S. corporations and government agencies. See, “APT1: Exposing One of China's Cyber Espionage Units.”'

As cyber victims and law enforcement struggle to find the means, both technical and legal, to respond to these attacks, critics claim that certain laws go too far. In fact, one statute, the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. '1830, has come under recent scrutiny due to its use against unsuspecting individuals who may not be the malicious hackers that the Act was originally meant to address. This has led to a noisy push for CFAA reform, a split in the Federal Circuit Courts and calls for Congressional action.

CFAA Easy to Violate

“Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime?”

' Chief Judge Alex Kozinski, U.S. Court of Appeals for the Ninth Circuit.

Judge Kozinski's question isn't merely hypothetical. It relates to the far-reaching ramifications of nebulous language in the little known CFAA, a federal anti-hacking statute dating back to 1984, long before commercial use of the Internet. Under the CFAA, if you access a computer “without authorization” or “exceed authorized access,” you could potentially find yourself facing federal criminal charges or involved in an expensive civil lawsuit.

But the average person, a non-hacker, has nothing to fear when engaging in every day innocuous computer use ' right? Not quite.

Virtually every website or online service, whether used for shopping, social media or gaming, includes Terms of Service (TOS), stating what you can or cannot do when using the site.

Likewise, many employers have specific written policies defining what an employee can do when using a work computer. Creative plaintiffs and zealous prosecutors are using these policies and TOS provisions to invoke the CFAA. In other words, exceeding authorized access could simply mean violating a TOS or your employer's computer use policies.

When is the last time you read and understood the fine print in a website's TOS or scoured your employer's computer use policy? Here's a brief excerpt from Facebook's TOS:

• You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
• You will not use Facebook if you are under 13.
• You will keep your contact information accurate and up-to-date.
• You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

www.facebook.com/legal/terms (as revised Nov. 15, 2013).

So maybe you lied about your age on Facebook, or perhaps shared your password with a friend. Maybe you created an entirely fictitious account just so you could see what your old high school pals from 20 years ago look like today. Perhaps you haven't updated your account in two years and the contact information is out of date. All of these common and seemingly innocuous activities violate Facebook's TOS and could potentially subject users to felony charges or a civil action under the CFAA.

In the business context, it would be a rare employee that did not send any personal e-mails from work. Some employees may even do online shopping or spend the bulk of a day researching travel information. What if you use your authorized access on your company's network to obtain information for personal reasons, such as setting up a competing business? All of these actions are typically violations of company policy and, under the Justice Department's interpretation of the CFAA, make ordinary workers felons.

The broad use of the CFAA for seemingly technical TOS violations is not an abstract concept. Consider the case of Lori Drew from 2006. Drew created a fake MySpace account to communicate with a former friend of her daughter. Continuing to pose as the phony person, Drew cyber-bullied her daughter's former friend who eventually committed suicide.

Missouri authorities, where Drew was from, did not find that any laws were violated. But since the MySpace servers were located in California, a creative U.S. Attorney there filed criminal charges against Drew based on the CFAA and Drew's violation of MySpace's TOS. The TOS provided that users must offer “truthful and accurate” information about themselves. In a ruling on the sufficiency of the charges, the Drew court concluded that an intentional breach of MySpace's TOS could potentially constitute accessing MySpace computers without authorization (or exceeding authorization) under the CFAA.

While Drew may not be a sympathetic “victim” of vague CFAA language, the use of mostly unread legalese in online provisions to bring criminal charges raises loud alarms in legal circles, since it puts virtually every computer user at risk. In fact, more recently, the CFAA became the focus of an international firestorm when it was used to target a well-known and admired Harvard researcher in what many deemed to be an overzealous prosecution and a prime example of potential abuse of the CFAA.

'Stealing Is Stealing'

“Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars.”

' U.S. Attorney Carmen M. Ortiz, in a 2011 press release.

At 14 years old, already a programming prodigy, Aaron Swartz helped develop the RSS Web feed, a program that automatically delivers updated content to users. He later co-founded the social media website, Reddit.

Swartz was admitted to Stanford University, but dropped out after a year to start a software company and because, as he blogged, “I didn't find it a very intellectual atmosphere, since most of the other kids seemed profoundly unconcerned with their studies.”

In 2010, at the age of 23, Swartz became a research fellow at Harvard University's Edmond J. Safra Center for Ethics, where his friend and mentor, Harvard Law Professor Lawrence Lessig, was the Director. By this time, Swartz was also a well-known figure in the open access movement ' an effort to provide free and unrestricted access, via the Internet, to scientific and scholarly research.

His Internet activism included taking action that poked authorities. In 2008, in an effort to make a point about access to public records, Swartz downloaded and released to a non-profit group millions of federal court documents stored in the U.S. Court system's PACER database. Although PACER normally charged a per page fee, some libraries at the time offered free access thus enabling Swartz to use a script to download massive amounts of court records without charge. While drawing the FBI's attention, no charges were filed since the documents were in fact public records.

But the next time he wouldn't be so lucky. In 2011, Swartz was arrested after he used MIT's computer network to download millions of academic papers stored by JSTOR, a digital service that provided access to scientific and other scholarly papers.

As a Harvard research fellow, Swartz had a JSTOR account and visiting privileges at MIT. Anyone with access to MIT's wide open network had access to JSTOR's database. Swartz took advantage of this open access to programmatically download millions of articles. When JSTOR noticed unusual activity, Swartz continued bulk downloading by entering an unlocked utility closet on MIT's campus to connect his laptop to the network. A camera in the closet caught him in the act.

According to computer experts, Swartz didn't hack into JSTOR's database or insert malware or use someone else's password. He simply exploited a loophole using existing access. In other words, Swartz got faster access to files he was already authorized to download. Or as one expert described it, this was not criminal hacking: “What Aaron did was inconsiderate.”

When Swartz turned over hard drives containing the documents, JSTOR declined to take action and asked the Massachusetts U.S. Attorney's Office to drop any charges. Ignoring JSTOR, Swartz was eventually charged with 13 felony counts. The bulk of the charges were based on alleged “unauthorized access” in violation of the CFAA.

Swartz was now facing up to 50 years in jail and $1 million in fines. The CFAA and the full weight and authority of the Federal Government loomed over him like the sword of Damocles.

'Without Authorization'

“Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. ' Under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.”

' Chief Judge Alex Kozinski, U.S. Court of Appeals for the Ninth Circuit.

Disagreement among the federal courts in interpreting the CFAA underscores concerns with its extraordinarily broad reach. Under the CFAA, “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” is subject to criminal penalties and civil liability. 18 U.S.C. '1030(a)(2)(C). Recent jurisprudence has focused on the meaning of the term “without authorization” in both the civil and criminal arenas. This has led to a split in the circuits, based on whether the term is to be construed either broadly or narrowly.

The broad view turns on not just whether someone has been technically granted access to a particular computer (or particular files), but rather someone's purpose in accessing the computer. That is, whether the user is acting against the interests of the computer's owner in downloading data. This has led some courts to consider employer's use restrictions (what you can do with data) as similar to access restrictions (what data can be accessed). So if you misuse information that you have a right to access, and thereby violate an employer's use policy, it is potentially a CFAA violation.

For example, in International Airport Centers, LLC v. Citrin, 440 F. 3d 418 (2006), the Seventh Circuit reversed the trial court's dismissal of an employer's CFAA claim against an employee who, before leaving work to start a competing business, copied confidential information from his work computer. The court held that the employee's authority to access information on his work computer was based on his duty of loyalty to his employer. Once that loyalty ended, his access to confidential information was without authorization.

To the contrary, the Ninth Circuit recently took the narrow view of “without authorization” under the CFAA. In United States v. Nosal, No. 10-10038 (9th Cir., April 10, 2012), an employee who had already left his employer convinced former colleagues still working there to send him confidential data to help him start a competing business. The colleagues had general access to the information. However, the employer had a policy that forbade disclosing confidential information. When the employer discovered the transfer of its data it called the authorities. Nosal was indicted under various charges, including aiding and abetting violations of the CFAA. Nosal moved to dismiss the CFAA counts, arguing that his accomplices were authorized to access the database, even though the information obtained may have been misused under corporate policy.

Critical of the broad view in other circuits and siding with Nosal, the Ninth Circuit held that “the government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”

Nosal was later convicted on other related charges, but the Ninth Circuit's decision has sharply focused the “broad” vs. “narrow” debate. It remains to be seen if the Supreme Court will resolve the split amongst the circuits. However, recent events may force Congress to act first.

Aaron's Law

“As federal prosecutors, our mission includes protecting the use of computers and the Internet by enforcing the law as fairly and responsibly as possible. We strive to do our best to fulfill this mission every day.”

' U.S. Attorney Carmen M. Ortiz.

Aaron Swartz was found hanging from a belt in his Brooklyn apartment on Jan. 11, 2013, two months before his trial was to start. His suicide has sparked protests over the scope of the CFAA, anger at his prosecutors and a Congressional investigation. At his funeral, his father told mourners that he was “killed by the government.”

Outrage over Swartz's death led to new legislation proposed by Rep. Zoe Lofgren (D-CA) entitled “Aaron's Law.”(H.R. 2454). The bill would modify the CFAA to clarify that the definition of “unauthorized access” does not include access that violates acceptable use policies or terms of service agreements, whether with a website, ISP or employer.

In the meantime, Darrell Issa (R-CA), Chairman of the House Committee on Oversight and Government Reform, opened an inquiry into how the office of U.S. Attorney Carmen Ortiz handled the case. A groundswell of public anger over perceived prosecutorial bullying in overcharging under the CFAA led to a grassroots petition seeking the removal of Ortiz.

A year later, in January 2014, a documentary film about Swartz premiered at the Sundance Film Festival. The film explores his arrest and the prosecution's tactics in using the CFAA.

Whether Swartz's death will result in CFAA reforms is unclear. Some believe the proposed changes even under Aaron's Law do not go far enough to reign in the CFAA. As George Washington University Law Professor Orin Kerr writes, the CFAA, as it now reads, “potentially regulates every use of every computer in the United States and even many millions of computers abroad.”

Conclusion

However, until such reforms are implemented, whether by Congress or the courts, individuals and businesses should be mindful of the far-reaching tentacles of the CFAA, and potential civil liability or criminal charges. Employees leaving a job and employers hiring new employees from competitors need to be particularly wary, lest they be accused of participating in a CFAA violation. As Chief Judge Kozinski points out in Nosal , although the government assures us it won't pursue minor violations under the CFAA, “we shouldn't have to live at the mercy of our local prosecutor.”

Eric A. Packel is a counsel with the Philadelphia office of BakerHostetler. He focuses his practice on privacy, data security and technology issues. Packel has significant experience counseling corporations, healthcare providers and other entities on compliance with data breach notification laws, as well as assisting with data incidents. He can be reached at [email protected].