A recent ruling in a highly publicized case in the United States District Court for the Central District of California rejected an aggressive legal theory that could have led to broad criminalization of the breach of terms conditioning access to websites and other computerized information. However, the opinion did leave the door open for trade secret and other civil litigants to rely on a similar theory.

The Computer Fraud and Abuse Act (CFAA) allows for both criminal and private civil actions to be brought based upon access to a protected computer that is “without authorization” or that “exceeds authorization.” In the last few years, plaintiffs have increasingly sought to use the CFAA as a basis for civil lawsuits based on misappropriation of company information, unauthorized website scraping, and any other purportedly objectionable taking of a plaintiff’s computerized data. The premise underlying these lawsuits is that, while the defendants in question (typically absconding employees or exploitative website users) had ready access to the data at issue, such access was conditioned upon satisfaction of a duty of loyalty to the employer or of website terms and conditions. When these conditions of access were not met, either because the employee was obtaining the information in breach of duty or because the website user was breaching terms of use, the aspiring CFAA plaintiff argues that the access became “unauthorized,” triggering a CFAA action. Courts have split on whether to allow a CFAA claim to be asserted in what are otherwise trade secret and breach of contract actions, with recent opinions trending against such allowance. However, that trend may be changing.

This expansive reading of “unauthorized” access under the CFAA was most recently tested in the criminal context in the case of United States v. Drew, 2009 WL 2872855 (C.D. Cal Aug. 28, 2009). While Judge George Wu made clear that a violation of website terms and conditions alone will not be considered a criminal CFAA violation, he also indicated in his opinion that a failure to satisfy conditions for computer access could yet give rise to a civil CFAA action.

Background of the Case

The background of this “cyberbullying” case may sound familiar to those following national headlines. In 2006, defendant Lori Drew, a Missouri mother, and two others used social networking site MySpace.com to concoct the online persona of “Josh Evans,” a 16-year old boy who purportedly lived in a nearby Missouri town. Drew’s teenage daughter was at the time engaged in a dispute with a 13-year old girl living on the same street, Megan Meier. Drew used the fictitious Josh Evans to strike up an online friendship with Meier and attempted to extract information from Meier regarding rumors she may have spread about Drew’s daughter. After a few weeks of online flirting, “Josh” terminated the relationship, telling Meier that “the world would be a better place without you.” Meier committed suicide soon afterwards, bringing nationwide publicity and concern.

As details of the incident and Drew’s role in the tragedy emerged, public pressure grew for prosecution of Drew, but given the lack of any statute criminalizing cyberbullying, Missouri prosecutors took no action. Strangely, it was 1,500 miles away, in Southern California, that Drew was finally hauled into court. Citing the location of MySpace servers in Beverly Hills, the U.S. Attorney brought charges against Drew in Los Angeles citing her alleged violation of § 1030(a)(2)(C) of the CFAA, which proscribes “unauthorized access” to a protected computer to obtain information. The government contended that her access to MySpace servers via the bogus “Josh Evans” account was unauthorized because she had provided false registration information, used information from MySpace for harassment purposes, and otherwise breached MySpace’s terms and conditions.

The Arguments on Either Side

The prospect that a breach of website terms and conditions could lead to criminal liability made this a case to watch for Internet freedom advocates, and the Electronic Frontier Foundation, the Center for Democracy and Technology, Public Citizen and a variety of legal scholars came to Drew’s defense as amici curiae. In support of her pre-trial motion to dismiss, Drew’s defenders pointed out the dangerous ramifications of the prosecution view, noting that it would “convert the millions of internet-using Americans who disregard terms of service into federal criminals.” The CFAA, they argued, should be targeted to true “hackers;” it is not a mechanism to convert a civil breach of terms of access into a criminal act. The case was nevertheless allowed to proceed to trial, where prosecutors argued that violating the MySpace terms of service in order to harass Meier was the legal equivalent of hacking a computer. On November 26, 2008, a California jury convicted Drew on three counts of unauthorized computer access.

Drew promptly moved for directed acquittal, advancing many of the same policy arguments presented unsuccessfully before trial. The post-trial briefing turned primarily on cases applying the CFAA in the civil context and, in particular, on the construction of the phrase “without authorization,” as the CFAA requires that access to the computer in question be without or exceeding authorization. The government highlighted those cases in the trade secret context finding that an employee accesses a computer “without authorization” for purposes of the CFAA when that employee is acting in breach of their duty of loyalty, regardless of whether actual access was nominally permitted, as in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). However, as the defense pointed out, a growing number of cases have held that access to a protected computer occurs “without authorization” only when initial access is not permitted (such as U.S. Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189 (D. Kan. Jan. 21, 2009) and Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting, LLC, 600 F. Supp. 2d 1045 (E.D. Mo. Jan. 22, 2009)). Thus, even if the access occurs under a false pretext, or for impermissible purposes, it may nevertheless be “authorized” for CFAA purposes. In moving to dismiss after trial, Drew noted this trend in civil CFAA cases and advocated that the CFAA should not properly be directed toward those whose access was at least initially authorized, albeit perhaps based on false representations.

Judge Wu ultimately overturned the jury’s verdict on July 2, 2009 and granted the defense’s motion for acquittal, noting that if Drew were found guilty then anyone who violated MySpace’s terms of service could also be found guilty of a federal crime. His August 28, 2009 opinion elaborated upon this rationale, observing that it clearly could not be the case that any breach of a term of service (including the “lonely heart who submits intentionally inaccurate data about his or her physical appearance”) could give rise to criminal liability. Because no one could know which terms would give rise to criminal liability when violated, the government’s theory that a breach of website terms of use forms a basis for criminal CFAA liability runs afoul of the void-forvagueness doctrine.

While this ruling was welcomed by Internet freedom advocates, its substantial protections from criminal CFAA liability do not translate to insulation from civil CFAA liability for those that access computers without meeting all conditions for permitted access. On the contrary, Judge Wu explicitly found that “a website’s terms of service/use can define what is (and/or is not) authorized access vis-à-vis that website.” This is an implicit rejection of the view that the CFAA is meant to address only true “hackers,” and not those who access computers with initial permission but in breach of a contractual or fiduciary duty.

Impact on Civil CFAA Litigation

As discussed above, in recent years, the CFAA has become a popular supplement or even alternative to a trade secret action for civil litigants. Trade secret actions arise under state law, but the CFAA confers federal subject matter jurisdiction, enabling the suit to proceed in federal court, which a plaintiff might prefer for strategic reasons. Moreover, the CFAA allows an action for the mere taking of “information,” an easier hurdle to clear for a plaintiff that may not be able to show the strict confidentiality of misappropriated information required for a trade secret action. This avenue was initially a promising one for trade secret plaintiffs, but had become less so of late as courts were increasingly denying CFAA actions where the accused employee may have been acting disloyally in taking computerized company information but had not actually hacked into the company network to do so. The Drew opinion, in rejecting the predicate that access must be wholly illicit in order to be “unauthorized” for CFAA purposes, provides significant if indirect support for trade secret litigants seeking to proceed under the CFAA.

Insofar as website owners may also seek to rely on the CFAA as a means to pursue web “scrapers,” competitors, or simply users that access their websites in breach of the site’s terms and conditions, Drew similarly provides support. Website owners can cite Drew for the proposition that a breach of website terms of use can render access to a fully public website unauthorized for CFAA purposes.

Finally, Drew is on the whole good news for the Internetusing community at large. While web users may still face civil liability for violations of the “fine print” in the terms of use, they can rest easier knowing they should not face CFAA criminal charges.