Exceeding Authorized Access: Legal Use of a Work Computer

December 3, 2020

Is it legal to watch a Browns game on a work computer? On Nov. 30, 2020, the U.S. Supreme Court heard oral argument on a case involving the interpretation of the federal statute, the Computer Fraud and Abuse Act, which makes it a crime for anyone to “exceed the scope of their authorization to access a computer” and thereby obtain “any information.” When Congress passed the law in 1984 and amended it in 1986, computers, computer networks, and computer use generally looked a lot different than it does now. The statute was designed to protect certain types of computers and data from “hacking” – that is, unauthorized access – but recognized that some of the worst offenders could be insiders who use the access they already have to cause damage and harm or to “steal” data or information. In the Supreme Court case, United States v. Van Buren, the Court has to determine what the language and structure of the computer crime statute means. What exactly is “unauthorized access,” and what constitutes “exceeding” that authorized access? Because the statute has both civil and criminal components (entities affected by such unauthorized access can, in addition to asking the government to prosecute, civilly sue the offender), the outcome of the case may determine how to regulate behavior of billions of people online.

Forgive My Trespasses

Intellectually, one of the problems with the “exceeding authorized access” statute is not unique to computers. If I ask my neighbor to water my plants in the kitchen while I am away, are they “exceeding authorized access” if they wander into the living room? Or, if while watering my plants, they turn on the TV? Or, if they do something (say, use the oven) that I specifically told them not to do? One can exceed authorized access by going somewhere you aren’t supposed to go (e.g., going to files or directories you aren’t authorized to go to), or by going somewhere you ARE authorized to go but for a reason you aren’t authorized, OR by going somewhere you are authorized to go, for a reason you are authorized, but then using that access to get files you are allowed to get, but then using those files for an improper purpose.

Cop Talk

In the Van Buren case itself, a Georgia police officer accessed the National Crime Information Computer (NCIC) which is restricted for law enforcement use only. To get an account, he had to agree to abide by the rules, and use his access only for law enforcement purposes. Van Buren used the access to get the names of undercover police officers and run license plates for the benefit of some criminals. Now there were lots of things Van Buren could have been prosecuted for. Theft. Fraud. Larceny. Misappropriation. Embezzlement. Corruption. Bribery. Even denying the people of Georgia of the “honest services” of their police. Van Buren was prosecuted for hacking even though he had an NCIC account, used his real ID and password to access that account, obtained access to data that he – as a police officer – had access to. The DOJ contended that Van Buren was a “hacker” because of his motive and intent (not a law enforcement purpose) when he accessed the data, and because of what he did with the data after he obtained it.

TOS’d & Turned

The rules and regulations of the NCIC database is fundamentally no different than the Terms of Service (ToS) of public websites, or the End User License Agreements, company policies, or other “rules” relating to access and use of computers and databases. They set out what you may and may not do online, and what you may or may not do with data you access online. If you violate these terms, are you “exceeding your authorization” to access or use the computer, and therefore trespassing, and therefore hacking and therefore committing a crime? The Supreme Court was skeptical of this very broad reading of the statute, which would make criminals of anyone who gave false information on a dating profile, violated a company employment policy, or even was a whistleblower who gave information about company impropriety they learned online to investigators. The solicitor general tried to narrow the statute by arguing that the statute did not apply to “public” websites or sites that held information that could otherwise be found online, but the language of the statute does not make that distinction. It’s just “exceed authorized access” and “obtain information.”

Each side had a “parade of horribles” if the Court ruled against them. To the defendant, an adverse ruling means that the government could (not that they would but that they could) prosecute any violation of ToS as a trespass. Indeed, that interpretation would make it difficult to go through a full day online without committing a felony.

On the other hand, if the Court narrowed the statute to those who bypassed some technical barrier to entry (an actual break-in) then, according to the Justice Department, they would not be able to criminally prosecute insiders who steal unprotected (legally unprotected) data like customer lists, etc. from their employers, or cops like Van Buren who tip off suspects. Congress may also step in to amend or clarify the statute, but there does not seem to be much urgency expressed by Congress.

The Supreme Court should hand down its ruling in a few months. If you have any questions regarding exceeding authorized access or the topics discussed in this article, please reach out to Mark Rasch at mdr@kjk.com or 301.547.6925.

KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.