The Computer Fraud and Abuse Act (18 U.S.C. 1030) (CFAA) represents the main federal cause of action against unauthorized intrusion into computer systems and networks. In relevant part, the statute prohibits users from intentionally accessing a protected computer without authorization, or “exceeding authorized access” to that computer. Members of Congress have floated conflicting proposals to amend the statute.
Outside the legislative hallways, the Courts of Appeal are equally divided on the what the phrase “exceeds authorized access” means. Nosal (9th Cir., en banc) held that a defendant did not exceed authorized access by misusing information on a protected computer, so long as he was authorized to access that information in the first instance. The Fourth Circuit, in the Carolina Energy case, relied heavily on Nosal, and came out the same way. The Seventh,Fifth, First, and Eleventh Circuits (all in cases that predated Nosal) have held the opposite: that the “fraud” aspect of the CFAA reaches cases in which a user acquires authorized access to a database, but then uses that access for an unauthorized purpose.
The Second Circuit has now lent its influential voice to this debate. In its December 3, 2015 decision, United States v. Valle, a divided panel of the Second Circuit essentially agreed with the Ninth Circuit, holding that a person who has authorized access to a database for one purpose, but uses that database for another purpose has not violated the statute. In Valle, the defendant, a police officer, was authorized to access certain federal databases for law enforcement purposes. Instead, he accessed them to locate a woman that he had said he wanted to torture, rape, and murder. His wife discovered a number of disturbing emails and chats, and reported him to law enforcement authorities. A jury convicted him on two counts: (1) conspiracy to kidnap; and (2) violation of the CFAA. The Court of Appeals reversed on both counts.
With respect to the CFAA, the defendant was charged with violation of 18 U.S.C. 1030(a)(2)(B), which created criminal (and civil) liability for anyone who “intentionally accesses a computer without authorization” or “exceeds authorized access and thereby obtains information” from the United States government. Valle argued that his position as a police officer gave him authorized access to federal databases, and because of that status his lack of an authorized purpose is irrelevant. The government, in contrast, argued that Valle needed a law enforcement purpose to use federal investigative tools, and once he accessed those tools with a different purpose he had violated the statute.
The court found the language of the statute ambiguous, and reasoned that it was obligated to apply the “rule of lenity,”— when a criminal statute’s text, structure, purpose and history leave doubt about the criminality of a defendant’s conduct, courts should not infer legislative intent to criminalize that conduct. Here, it found that the statute was reasonably susceptible to a narrower reading. The Court read the statute to prohibit hacking in two scenarios—either when the hacker broke in to the system from the outside, or when the hacker had authorized access to a terminal and used that access as a launching point to obtain files and information to which access was denied.
Importantly, the court acknowledged that their decision “impacts many more people than Valle. It will not only affect those who improperly access information from a government computer – a result some readers might find palatable – but also those who improperly access ‘any protected computer’ and thereby obtain information.”
Divided courts of appeal and questions of “exceptional importance” are reasons for Supreme Court review, and the judges may have been tacitly asking the higher court for clarification. It is unclear at this point whether the government plans to appeal, but this is a case worth watching.