Monday, July 30, 2012
When is unauthorized use not "use without authorization"
In WEC Carolina Energy Solutions LLC v. Miller, the Fourth Circuit in an opinion by Judge Floyd joined by Judge Shedd and Senior Judge Hamilton held that the defendant's alleged violation of his former employer's policies against downloading confidential company documents for personal use could not be the basis for a civil action under the federal Computer Fraud and Abuse Act, which provides a civil remedy for violations of the criminal act that defines a crime involving the use of computers "without authorization" or "in excess of authority." Recognizing a split in the authority from other circuits, the Court joined with the more restrictive Ninth Circuit view stated in United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) and refused to follow the Seventh Circuit view stated in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). The Court concluded: "[W]e adopt a narrow reading of the terms 'without authorization" and "exceeds authorized access" and hold that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.'" Interesting, the Virginia Computer Crimes Act, adopted around the same time as the federal act, includes a definition of "without authority" - "A person is 'without authority' when he knows or reasonably should know that he has no right, agreement, or permission or acts in a manner knowingly exceeding such right, agreement, or permission." Va. Code 18.2-152.2. In 2005, the legislature removed the element of "without authority" in the criminal trespass statute, and replaced it with the element of "malicious intent." Acts 2005, c. 812. You'd think that the lack of authority would be the fundamental aspect of a computer trespass but evidently it is too problematic, as evidenced by the Fourth Circuit opinion and the amendment to the Virginia statute. Computer users do things all the time that might be beyond the scope of what they are supposed to be doing. The result is that the criminalization of all computer use beyond the scope of express authority casts too wide a net.
Posted by Steve Minor at 2:18 PM