In U.S. v. Auernheimer, the 3rd Circuit failed to clarify “unauthorized access” relying on venue. The Court had an opportunity to chime in and clarify the term “unauthorized access” under CFAA but never got there.

In U.S. v. Auernheimer (3rd Circuit No. 13-1816, 4/11/14) the defendant was charged with having “hacked into” the AT&T network for connecting first-generation iPads to the web. Prosecutors brought charges against Auernheimer in the District of New Jersey despite the fact that defendant was apparently located in Arkansas and the computers were in Texas and Georgia. Defendant initially moved to dismiss the case at the District Court based on venue, but was rebuffed on the theory that some of the data he obtained belonged to New Jersey residents, and thus at least part of the crime with which he was charged was committed there. After the jury convicted him, defendant was sentenced to 41 months in prison.

The Computer Fraud and Abuse Act (18 USC §1030) (“CFAA”) has drawn increasing attention from prosecutors as well as civil litigants in the recent past, since it outlaws “unauthorized” access to virtually every computer, smartphone and tablet now in existence. In the past year, high-profile prosecutions (e.g. US v. Aaron Swartz, where a noted internet activist was charged for having obtained access to scholarly papers by tapping into an MIT network) have raised serious questions about how the law should be interpreted.

The CFAA establishes that it is a crime whenever someone

…knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value…

(§1030(a)(4)

The CFAA defines “unauthorized access” as:

to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.

(§1030(e)(6)).

Courts have split sharply over what constitutes “unauthorized” access, since the statute does not define it. In the 7th Circuit, the Court permitted a claim to proceed where an “authorized” user accessed files in order to quit and go into business in competition with their employer, (IAC v. Citrin, 440 F.3d 418 (7th Cir. 2006)) analogizing to agency law and concluding that once the authorized agent breaches their duty to their principal, their authorization is automatically revoked.

On the other hand, in the 9th Circuit the Court went in a very different direction in holding that if a user is authorized, the CFAA is not applicable even if the user is in the process of betraying their authorizer (US v. Nosal). The court determined that the CFAA only applies when the data is accessed impermissibly, and not when the use of the data is improper or when the person accessing it has bad intentions. The 9th Circuit expressly worried about allowing the question of whether one is “authorized” to depend on contract language, policy terms and other easily-modified, often-ignored, easily-overlooked language.

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.

(slip op. at 3866)

Other circuits have come down at different points along this spectrum – compare U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) U.S. v. John, 597 F.3d 263 (5th Cir. 2010);WEC Carolina v. Miller 687 F.3d 189 (4th Cir. 2012)

The Court of Appeals reversed the conviction but on the threshold issue of venue. In an opinion punctuated with citations to the DOJ’s own Computer Crime manual, the court noted that a defendant has not one but two constitutional rights to be tried in the proper venue (Article III, § 2, cl. 3 as well as the Sixth amendment), and that even the Declaration of Independence incorporated improper venue for criminal trials as one of the listed grievances against the Crown (“…transporting us beyond seas to be tried for pretended offences.”). Concluding that defendant had not performed any “essential conduct element” of a CFAA violation in New Jersey, the Court found venue was improper and reversed the conviction.

In online activity, the question of “where” something happens has become almost a philosophical debate. (“Where are we when we are online?”) But the 3rd Circuit rejected such an approach here.

As we progress technologically, we must remain mindful that cybercrimes do not happen in some metaphysical location that justified disregarding constitutional limits on venue. People and computers still exist in identifiable places in the physical world….Though our nation has changed is ways which it is difficult to imagine that the Framers of the Constitution could have foreseen, the rights of criminal defendants which they sought to protect in the venue provisions of the Constitution are neither outdated nor outmoded…Just as this was true…after the advent of railroad, express mail, the telegraph, the telephone, the automobile, air travel and satellite communications – it remains true in today’s Internet age.

(slip op. p. 22, internal quotes omitted)

Yes, cyber issues are fascinating. But sometimes we need to go back to the basics.