A Final Note on the CFAA

These past few blog entries on the CFAA have shown it to be a piece of legislation that has expanded beyond its original intentions over time. Orignally intended to combat hackers, the CFAA has now expanded, with each amendment, to reach employees accessing files on company computers and accessing of open wireless access points without express permission. However, despite its ability to reach far and wide, the CFAA does not fully address issues that seem to comport with its initial intent of combating hackers or new organized methods of hacking and fraud.

What is in store for the CFAA? Some recent developments in case history might provide a window as to what future amendments might contribute.

TOS as Law?
The recent Myspace suicide case, U.S. v. Drew, 259 F.R.D. 449 (C.D.Cal.,2009), brought attention to the possibility of the CFAA being struck down as unconstitutionally vague. Drew was charged with conspiracy and violated subsection (a)(2)(C)  and (c)(2)(B)(ii) (“accessing a computer without authorization or in excess of authorization and obtaining information from a protected computer where the conduct involves an interstate or foreign communication and the offense is committed in furtherance of a crime or tortious act.” id. at 452) when she created a fake Myspace page. The heart of this case lies with whether an individual who violates a service provider’s TOS is acting “without authorization” and thus criminally liable. The Drew court recognizes that most courts employing the contract interpretation of “authorization” “have held that a conscious violation of a website’s terms of service/use will render the access unauthorized and/or cause it to exceed authorization.” (id. at 460) The court then analyzes and finds that Drew did violate the TOS, and thus the CFAA. However, it then rules that “basing a CFAA misdemeanor violation as per 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A) upon the conscious violation of a website’s terms of service runs afoul of the void-for-vagueness doctrine.” (id. at 14) The court mentions that Myspace’s TOS mentions many prohibited activities, but did not specifically say which would terminate Myspace’s authorization for an individual to access the site. (id.)  Furthermore, it predicts that allowing service providers to effectively write the law in TOS would create more vagueness as often TOS’s are not written very clearly (with an illustration of several vague provisions within the Myspace TOS).

Punishing “Disloyal” Employees
Building on the the post about employees accessing files on company computers, the debate over the definition of “without authorization” seems to be heading towards a less harsh interpretation in the realm of employment related cases. LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (Nev., 2009.) is the first federal court opinion on the subject of criminal liability for access of employer computers with disloyal intent [1] since a case that ruled based on the agency interpretation. Brekka rejects the idea that “authorization” is withdrawn once an employee’s mental state turns against the interests of the employer. (581 F.3d 1127 at 6) This echoes the reasoning in the Drew case about exercising caution when applying criminal liability to individuals using a vague statute.

The biggest problem with the CFAA is its ambiguity, and since no cases dealing with the language of the CFAA have been brought to the Supreme Court yet , there have been many different interpretations of the legislation within state and federal courts. Either a case will have to be granted certiorari for the Supreme Court to create interpretations that are binding across states, or the legislation will have to be amended to explain some of its vaguer provisions.


~ by alyssaufl on January 11, 2010.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: