Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Virtually every day we read about another cyber attack or malicious hacking incident. Hackers seek corporate secrets for competitive advantage, personal information, financial fraud, or sometimes they simply perform “hactivist” political stunts.
As cyber victims and law enforcement struggle to find the means, both technical and legal, to respond to these attacks, critics claim that certain laws go too far. In fact, one statute, the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. ' 1830 (http://bit.ly/Jz0c3n), has come under recent scrutiny due to its use against unsuspecting individuals who may not be the malicious hackers that the Act was originally meant to address. This has led to a noisy push for CFAA reform, a split in the Federal Circuit Courts and calls for Congressional action.
CFAA Easy to Violate
“Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime?”
' Chief Judge Alex Kozinski, U.S. Court of Appeals for the Ninth Circuit.
Judge Kozinski's question isn't merely hypothetical. It relates to the far-reaching ramifications of nebulous language in the little known CFAA, a federal anti-hacking statute dating back to 1984, long before commercial use of the Internet. Under the CFAA, if you access a computer “without authorization” or “exceed authorized access,” you could potentially find yourself facing federal criminal charges or involved in an expensive civil lawsuit.
But the average person, a non-hacker, has nothing to fear when engaging in every day innocuous computer use ' right? Not quite.
Virtually every website or online service, whether used for shopping, social media or gaming, includes Terms of Service (TOS), stating what you can or cannot do when using the site.
Likewise, many employers have specific written policies defining what an employee can do when using a work computer. Creative plaintiffs and zealous prosecutors are using these policies and TOS provisions to invoke the CFAA. In other words, exceeding authorized access could simply mean violating a TOS or your employer's computer use policies.
When is the last time you read and understood the fine print in a website's TOS or scoured your employer's computer use policy?
OK, maybe you lied about your age on Facebook, or perhaps shared your password with a friend. Maybe you created an entirely fictitious account just so you could see what your old high school pals from 20 years ago look like today. Perhaps you haven't updated your account in two years and the contact information is out of date. All of these common and seemingly innocuous activities violate Facebook's TOS and could potentially subject users to felony charges or a civil action under the CFAA.
In the business context, it would be a rare employee that did not send any personal e-mails from work. Some employees may even do online shopping or spend the bulk of a day researching travel information. What if you use your authorized access on your company's network to obtain information for personal reasons, such as setting up a competing business? All of these actions are typically violations of company policy and, under the Justice Department's interpretation of the CFAA, make ordinary workers felons.
The broad use of the CFAA for seemingly technical TOS violations is not an abstract concept. Consider the case of Lori Drew from 2006. Drew created a fake MySpace account to communicate with a former friend of her daughter. Continuing to pose as the phony person, Drew cyber-bullied her daughter's former friend, who eventually committed suicide.
Authorities in Missouri, where Drew was from, did not find that any laws were violated. But since the MySpace servers were located in California, a creative U.S. Attorney there filed criminal charges against Drew based on the CFAA and Drew's violation of MySpace's TOS. The TOS provided that users must offer “truthful and accurate” information about themselves. In a ruling on the sufficiency of the charges, the Drew court concluded that an intentional breach of MySpace's TOS could potentially constitute accessing MySpace computers without authorization (or exceeding authorization) under the CFAA.
While Drew may not be a sympathetic “victim” of vague CFAA language, the use of mostly unread legalese in online provisions to bring criminal charges raises loud alarms in legal circles, since it puts virtually every computer user at risk. In fact, more recently, the CFAA became the focus of an international firestorm when it was used to target a well-known and admired Harvard researcher in what many deemed to be an overzealous prosecution and a prime example of potential abuse of the CFAA.
'Stealing Is Stealing'
“Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars.”
' U.S. Attorney Carmen M. Ortiz, in a 2011 press release.
At 14 years old, already a programming prodigy, Aaron Swartz helped develop the RSS Web feed, a program that automatically delivers updated content to users. He later co-founded the social media website, Reddit.
Swartz was admitted to Stanford University, but dropped out after a year to start a software company and because, as he blogged, “I didn't find it a very intellectual atmosphere, since most of the other kids seemed profoundly unconcerned with their studies.”
In 2010, at the age of 23, Swartz became a research fellow at Harvard University's Edmond J. Safra Center for Ethics, where his friend and mentor, Harvard Law Professor Lawrence Lessig, was the Director. By this time, Swartz was also a well-known figure in the open access movement ' an effort to provide free and unrestricted access, via the Internet, to scientific and scholarly research.
His Internet activism included taking action that poked authorities. In 2008, in an effort to make a point about access to public records, Swartz downloaded and released to a non-profit group millions of federal court documents stored in the U.S. Court system's PACER database. Although PACER normally charged a per-page fee, some libraries at the time offered free access thus enabling Swartz to use a script to download massive amounts of court records without charge. While drawing the FBI's attention, no charges were filed since the documents were in fact public records.
But the next time he wouldn't be so lucky. In 2011, Swartz was arrested after he used MIT's computer network to download millions of academic papers stored by JSTOR, a digital service that provided access to scientific and other scholarly papers.
As a Harvard research fellow, Swartz had a JSTOR account and visiting privileges at MIT. Anyone with access to MIT's wide-open network had access to JSTOR's database. Swartz took advantage of this open access to programmatically download millions of articles. When JSTOR noticed unusual activity, Swartz continued bulk downloading by entering an unlocked utility closet on MIT's campus to connect his laptop to the network. A camera in the closet caught him in the act.
According to computer experts, Swartz didn't hack into JSTOR's database or insert malware or use someone else's password. He simply exploited a loophole using existing access. In other words, Swartz got faster access to files he was already authorized to download. Or as one expert described it, this was not criminal hacking: “What Aaron did was inconsiderate.”
When Swartz turned over hard drives containing the documents, JSTOR declined to take action and asked the Massachusetts U.S. Attorney's Office to drop any charges. Nevertheless, Swartz was eventually charged with 13 felony counts. The bulk of the charges were based on alleged “unauthorized access” in violation of the CFAA.
Swartz was now facing up to 50 years in jail and $1 million in fines. The CFAA and the full weight and authority of the Federal Government loomed over him like the sword of Damocles.
'Without Authorization'
Disagreement among the federal courts in interpreting the CFAA underscores concerns with its extraordinarily broad reach. Under the CFAA, “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” is subject to criminal penalties and civil liability. 18 U.S.C. '1030(a)(2)(C). Recent jurisprudence has focused on the meaning of the term “without authorization” in both the civil and criminal arenas. This has led to a split in the circuits, based on whether the term is to be construed either broadly or narrowly.
The broad view turns on not just whether someone has been technically granted access to a particular computer (or particular files), but rather someone's purpose in accessing the computer. That is, whether the user is acting against the interests of the computer's owner in downloading data. This has led some courts to consider employer's use restrictions (what you can do with data) as similar to access restrictions (what data can be accessed). So if you misuse information that you have a right to access, and thereby violate an employer's use policy, it is potentially a CFAA violation.
For example, in International Airport Centers, LLC v. Citrin, 440 F. 3d 418 (2006), the Seventh Circuit reversed the trial court's dismissal of an employer's CFAA claim against an employee who, before leaving work to start a competing business, copied confidential information from his work computer. The court held that the employee's authority to access information on his work computer was based on his duty of loyalty to his employer. Once that loyalty ended, his access to confidential information was without authorization.
To the contrary, the Ninth Circuit recently took the narrow view of “without authorization” under the CFAA. In United States v. Nosal, No. 10-10038 (9th Cir., April 10, 2012) (http://1.usa.gov/130c5oO), an employee who had already left his employer convinced former colleagues still working there to send him confidential data to help him start a competing business. The colleagues had general access to the information. However, the employer had a policy that forbade disclosing confidential information. When the employer discovered the transfer of its data it called the authorities. Nosal was indicted under various charges, including aiding and abetting violations of the CFAA. Nosal moved to dismiss the CFAA counts, arguing that his accomplices were authorized to access the database, even though the information obtained may have been misused under corporate policy.
Critical of the broad view in other circuits and siding with Nosal, the Ninth Circuit held that “the government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”
Nosal was later convicted on other related charges, but the Ninth Circuit's decision has sharply focused the “broad” vs. “narrow” debate. It remains to be seen if the Supreme Court will resolve the split among the circuits. However, recent events may force Congress to act first.
Aaron's Law
Aaron Swartz was found hanging from a belt in his Brooklyn apartment on Jan. 11, 2013, two months before his trial was to start.
Outrage over Swartz's death led to new legislation proposed by Rep. Zoe Lofgren (D-CA) titled “Aaron's Law.” (H.R. 2454) (http://bit.ly/1dxOWij). The bill would modify the CFAA to clarify that the definition of “unauthorized access” does not include access that violates acceptable use policies or terms of service agreements, whether with a website, ISP or employer.
In the meantime, Darrell Issa (R-CA), Chairman of the House Committee on Oversight and Government Reform, opened an inquiry into how the office of U.S. Attorney Carmen Ortiz handled the case.
Whether Swartz's death will result in CFAA reforms is unclear. Some believe the proposed changes even under Aaron's Law do not go far enough to rein in the CFAA. As George Washington University Law Professor Orin Kerr writes, the CFAA, as it now reads, “potentially regulates every use of every computer in the United States and even many millions of computers abroad.”
Conclusion
However, until such reforms are implemented, whether by Congress or the courts, individuals and businesses should be mindful of the far-reaching tentacles of the CFAA, and potential civil liability or criminal charges. Employees leaving a job and employers hiring new employees from competitors need to be particularly wary, lest they be accused of participating in a CFAA violation. As Chief Judge Kozinski points out in Nosal, although the government assures us it won't pursue minor violations under the CFAA, “we shouldn't have to live at the mercy of our local prosecutor.”
Eric A. Packel is a counsel with the Philadelphia office of BakerHostetler. He can be reached at [email protected].
Virtually every day we read about another cyber attack or malicious hacking incident. Hackers seek corporate secrets for competitive advantage, personal information, financial fraud, or sometimes they simply perform “hactivist” political stunts.
As cyber victims and law enforcement struggle to find the means, both technical and legal, to respond to these attacks, critics claim that certain laws go too far. In fact, one statute, the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. ' 1830 (http://bit.ly/Jz0c3n), has come under recent scrutiny due to its use against unsuspecting individuals who may not be the malicious hackers that the Act was originally meant to address. This has led to a noisy push for CFAA reform, a split in the Federal Circuit Courts and calls for Congressional action.
CFAA Easy to Violate
“Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime?”
' Chief Judge
Judge Kozinski's question isn't merely hypothetical. It relates to the far-reaching ramifications of nebulous language in the little known CFAA, a federal anti-hacking statute dating back to 1984, long before commercial use of the Internet. Under the CFAA, if you access a computer “without authorization” or “exceed authorized access,” you could potentially find yourself facing federal criminal charges or involved in an expensive civil lawsuit.
But the average person, a non-hacker, has nothing to fear when engaging in every day innocuous computer use ' right? Not quite.
Virtually every website or online service, whether used for shopping, social media or gaming, includes Terms of Service (TOS), stating what you can or cannot do when using the site.
Likewise, many employers have specific written policies defining what an employee can do when using a work computer. Creative plaintiffs and zealous prosecutors are using these policies and TOS provisions to invoke the CFAA. In other words, exceeding authorized access could simply mean violating a TOS or your employer's computer use policies.
When is the last time you read and understood the fine print in a website's TOS or scoured your employer's computer use policy?
OK, maybe you lied about your age on Facebook, or perhaps shared your password with a friend. Maybe you created an entirely fictitious account just so you could see what your old high school pals from 20 years ago look like today. Perhaps you haven't updated your account in two years and the contact information is out of date. All of these common and seemingly innocuous activities violate Facebook's TOS and could potentially subject users to felony charges or a civil action under the CFAA.
In the business context, it would be a rare employee that did not send any personal e-mails from work. Some employees may even do online shopping or spend the bulk of a day researching travel information. What if you use your authorized access on your company's network to obtain information for personal reasons, such as setting up a competing business? All of these actions are typically violations of company policy and, under the Justice Department's interpretation of the CFAA, make ordinary workers felons.
The broad use of the CFAA for seemingly technical TOS violations is not an abstract concept. Consider the case of Lori Drew from 2006. Drew created a fake MySpace account to communicate with a former friend of her daughter. Continuing to pose as the phony person, Drew cyber-bullied her daughter's former friend, who eventually committed suicide.
Authorities in Missouri, where Drew was from, did not find that any laws were violated. But since the MySpace servers were located in California, a creative U.S. Attorney there filed criminal charges against Drew based on the CFAA and Drew's violation of MySpace's TOS. The TOS provided that users must offer “truthful and accurate” information about themselves. In a ruling on the sufficiency of the charges, the Drew court concluded that an intentional breach of MySpace's TOS could potentially constitute accessing MySpace computers without authorization (or exceeding authorization) under the CFAA.
While Drew may not be a sympathetic “victim” of vague CFAA language, the use of mostly unread legalese in online provisions to bring criminal charges raises loud alarms in legal circles, since it puts virtually every computer user at risk. In fact, more recently, the CFAA became the focus of an international firestorm when it was used to target a well-known and admired Harvard researcher in what many deemed to be an overzealous prosecution and a prime example of potential abuse of the CFAA.
'Stealing Is Stealing'
“Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars.”
' U.S. Attorney Carmen M. Ortiz, in a 2011 press release.
At 14 years old, already a programming prodigy, Aaron Swartz helped develop the RSS Web feed, a program that automatically delivers updated content to users. He later co-founded the social media website, Reddit.
Swartz was admitted to Stanford University, but dropped out after a year to start a software company and because, as he blogged, “I didn't find it a very intellectual atmosphere, since most of the other kids seemed profoundly unconcerned with their studies.”
In 2010, at the age of 23, Swartz became a research fellow at Harvard University's Edmond J. Safra Center for Ethics, where his friend and mentor, Harvard Law Professor Lawrence Lessig, was the Director. By this time, Swartz was also a well-known figure in the open access movement ' an effort to provide free and unrestricted access, via the Internet, to scientific and scholarly research.
His Internet activism included taking action that poked authorities. In 2008, in an effort to make a point about access to public records, Swartz downloaded and released to a non-profit group millions of federal court documents stored in the U.S. Court system's PACER database. Although PACER normally charged a per-page fee, some libraries at the time offered free access thus enabling Swartz to use a script to download massive amounts of court records without charge. While drawing the FBI's attention, no charges were filed since the documents were in fact public records.
But the next time he wouldn't be so lucky. In 2011, Swartz was arrested after he used MIT's computer network to download millions of academic papers stored by JSTOR, a digital service that provided access to scientific and other scholarly papers.
As a Harvard research fellow, Swartz had a JSTOR account and visiting privileges at MIT. Anyone with access to MIT's wide-open network had access to JSTOR's database. Swartz took advantage of this open access to programmatically download millions of articles. When JSTOR noticed unusual activity, Swartz continued bulk downloading by entering an unlocked utility closet on MIT's campus to connect his laptop to the network. A camera in the closet caught him in the act.
According to computer experts, Swartz didn't hack into JSTOR's database or insert malware or use someone else's password. He simply exploited a loophole using existing access. In other words, Swartz got faster access to files he was already authorized to download. Or as one expert described it, this was not criminal hacking: “What Aaron did was inconsiderate.”
When Swartz turned over hard drives containing the documents, JSTOR declined to take action and asked the
Swartz was now facing up to 50 years in jail and $1 million in fines. The CFAA and the full weight and authority of the Federal Government loomed over him like the sword of Damocles.
'Without Authorization'
Disagreement among the federal courts in interpreting the CFAA underscores concerns with its extraordinarily broad reach. Under the CFAA, “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” is subject to criminal penalties and civil liability. 18 U.S.C. '1030(a)(2)(C). Recent jurisprudence has focused on the meaning of the term “without authorization” in both the civil and criminal arenas. This has led to a split in the circuits, based on whether the term is to be construed either broadly or narrowly.
The broad view turns on not just whether someone has been technically granted access to a particular computer (or particular files), but rather someone's purpose in accessing the computer. That is, whether the user is acting against the interests of the computer's owner in downloading data. This has led some courts to consider employer's use restrictions (what you can do with data) as similar to access restrictions (what data can be accessed). So if you misuse information that you have a right to access, and thereby violate an employer's use policy, it is potentially a CFAA violation.
For example, in
To the contrary, the Ninth Circuit recently took the narrow view of “without authorization” under the CFAA. In United States v. Nosal, No. 10-10038 (9th Cir., April 10, 2012) (http://1.usa.gov/130c5oO), an employee who had already left his employer convinced former colleagues still working there to send him confidential data to help him start a competing business. The colleagues had general access to the information. However, the employer had a policy that forbade disclosing confidential information. When the employer discovered the transfer of its data it called the authorities. Nosal was indicted under various charges, including aiding and abetting violations of the CFAA. Nosal moved to dismiss the CFAA counts, arguing that his accomplices were authorized to access the database, even though the information obtained may have been misused under corporate policy.
Critical of the broad view in other circuits and siding with Nosal, the Ninth Circuit held that “the government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”
Nosal was later convicted on other related charges, but the Ninth Circuit's decision has sharply focused the “broad” vs. “narrow” debate. It remains to be seen if the Supreme Court will resolve the split among the circuits. However, recent events may force Congress to act first.
Aaron's Law
Aaron Swartz was found hanging from a belt in his Brooklyn apartment on Jan. 11, 2013, two months before his trial was to start.
Outrage over Swartz's death led to new legislation proposed by Rep. Zoe Lofgren (D-CA) titled “Aaron's Law.” (H.R. 2454) (http://bit.ly/1dxOWij). The bill would modify the CFAA to clarify that the definition of “unauthorized access” does not include access that violates acceptable use policies or terms of service agreements, whether with a website, ISP or employer.
In the meantime, Darrell Issa (R-CA), Chairman of the House Committee on Oversight and Government Reform, opened an inquiry into how the office of U.S. Attorney Carmen Ortiz handled the case.
Whether Swartz's death will result in CFAA reforms is unclear. Some believe the proposed changes even under Aaron's Law do not go far enough to rein in the CFAA. As
Conclusion
However, until such reforms are implemented, whether by Congress or the courts, individuals and businesses should be mindful of the far-reaching tentacles of the CFAA, and potential civil liability or criminal charges. Employees leaving a job and employers hiring new employees from competitors need to be particularly wary, lest they be accused of participating in a CFAA violation. As Chief Judge Kozinski points out in Nosal, although the government assures us it won't pursue minor violations under the CFAA, “we shouldn't have to live at the mercy of our local prosecutor.”
Eric A. Packel is a counsel with the Philadelphia office of BakerHostetler. He can be reached at [email protected].
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.