A recent ruling in a highly publicized case in the United States District Court for the Central District of California rejected an aggressive legal theory that could have led to broad criminalization of the breach of terms conditioning access to websites and other computerized information. However, the opinion did leave the door open for trade secret and other civil litigants to rely on a similar theory.
This expansive reading of “unauthorized” access under the CFAA was most recently tested in the criminal context in the case of United States v. Drew, 2009 WL 2872855 (C.D. Cal Aug. 28, 2009). While Judge George Wu made clear that a violation of website terms and conditions alone will not be considered a criminal CFAA violation, he also indicated in his opinion that a failure to satisfy conditions for computer access could yet give rise to a civil CFAA action.
Background of the Case
The background of this “cyberbullying” case may sound familiar to those following national headlines. In 2006, defendant Lori Drew, a Missouri mother, and two others used social networking site MySpace.com to concoct the online persona of “Josh Evans,” a 16-year old boy who purportedly lived in a nearby Missouri town. Drew’s teenage daughter was at the time engaged in a dispute with a 13-year old girl living on the same street, Megan Meier. Drew used the fictitious Josh Evans to strike up an online friendship with Meier and attempted to extract information from Meier regarding rumors she may have spread about Drew’s daughter. After a few weeks of online flirting, “Josh” terminated the relationship, telling Meier that “the world would be a better place without you.” Meier committed suicide soon afterwards, bringing nationwide publicity and concern.
As details of the incident and Drew’s role in the tragedy emerged, public pressure grew for prosecution of Drew, but given the lack of any statute criminalizing cyberbullying, Missouri prosecutors took no action. Strangely, it was 1,500 miles away, in Southern California, that Drew was finally hauled into court. Citing the location of MySpace servers in Beverly Hills, the U.S. Attorney brought charges against Drew in Los Angeles citing her alleged violation of § 1030(a)(2)(C) of the CFAA, which proscribes “unauthorized access” to a protected computer to obtain information. The government contended that her access to MySpace servers via the bogus “Josh Evans” account was unauthorized because she had provided false registration information, used information from MySpace for harassment purposes, and otherwise breached MySpace’s terms and conditions.
The Arguments on Either Side
The prospect that a breach of website terms and conditions could lead to criminal liability made this a case to watch for Internet freedom advocates, and the Electronic Frontier Foundation, the Center for Democracy and Technology, Public Citizen and a variety of legal scholars came to Drew’s defense as amici curiae. In support of her pre-trial motion to dismiss, Drew’s defenders pointed out the dangerous ramifications of the prosecution view, noting that it would “convert the millions of internet-using Americans who disregard terms of service into federal criminals.” The CFAA, they argued, should be targeted to true “hackers;” it is not a mechanism to convert a civil breach of terms of access into a criminal act. The case was nevertheless allowed to proceed to trial, where prosecutors argued that violating the MySpace terms of service in order to harass Meier was the legal equivalent of hacking a computer. On November 26, 2008, a California jury convicted Drew on three counts of unauthorized computer access.
Drew promptly moved for directed acquittal, advancing many of the same policy arguments presented unsuccessfully before trial. The post-trial briefing turned primarily on cases applying the CFAA in the civil context and, in particular, on the construction of the phrase “without authorization,” as the CFAA requires that access to the computer in question be without or exceeding authorization. The government highlighted those cases in the trade secret context finding that an employee accesses a computer “without authorization” for purposes of the CFAA when that employee is acting in breach of their duty of loyalty, regardless of whether actual access was nominally permitted, as in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). However, as the defense pointed out, a growing number of cases have held that access to a protected computer occurs “without authorization” only when initial access is not permitted (such as U.S. Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189 (D. Kan. Jan. 21, 2009) and Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting, LLC, 600 F. Supp. 2d 1045 (E.D. Mo. Jan. 22, 2009)). Thus, even if the access occurs under a false pretext, or for impermissible purposes, it may nevertheless be “authorized” for CFAA purposes. In moving to dismiss after trial, Drew noted this trend in civil CFAA cases and advocated that the CFAA should not properly be directed toward those whose access was at least initially authorized, albeit perhaps based on false representations.
While this ruling was welcomed by Internet freedom advocates, its substantial protections from criminal CFAA liability do not translate to insulation from civil CFAA liability for those that access computers without meeting all conditions for permitted access. On the contrary, Judge Wu explicitly found that “a website’s terms of service/use can define what is (and/or is not) authorized access vis-à-vis that website.” This is an implicit rejection of the view that the CFAA is meant to address only true “hackers,” and not those who access computers with initial permission but in breach of a contractual or fiduciary duty.
Impact on Civil CFAA Litigation
As discussed above, in recent years, the CFAA has become a popular supplement or even alternative to a trade secret action for civil litigants. Trade secret actions arise under state law, but the CFAA confers federal subject matter jurisdiction, enabling the suit to proceed in federal court, which a plaintiff might prefer for strategic reasons. Moreover, the CFAA allows an action for the mere taking of “information,” an easier hurdle to clear for a plaintiff that may not be able to show the strict confidentiality of misappropriated information required for a trade secret action. This avenue was initially a promising one for trade secret plaintiffs, but had become less so of late as courts were increasingly denying CFAA actions where the accused employee may have been acting disloyally in taking computerized company information but had not actually hacked into the company network to do so. The Drew opinion, in rejecting the predicate that access must be wholly illicit in order to be “unauthorized” for CFAA purposes, provides significant if indirect support for trade secret litigants seeking to proceed under the CFAA.