Eleventh Circuit Rules On Workplace Computer Policies Regarding Exceeding Authorized Access
The Volokh Conspiracy
January 4, 2011
Last week, the Eleventh Circuit decided an important case, United States v. Rodriguez, on the computer crime statute known as the Computer Fraud and Abuse Act, 18 U.S.C. 1030. The decision by Judge Pryor touches on the same issue that was in play in the Lori Drew case: When does violating express conditions on computer use constitute a crime? The court’s conclusion seems right on its specific facts, but I worry that it will be construed as adopting a very broad theory that would be quite troubling. So I want to introduce the legal issue, then talk about the Rodriguez case, and then return to the legal issue and talk about how it might apply going forward.
I. The Prohibition on Unauthorized Access
First, some context. Federal law makes it a crime to “exceed authorized access” to a “protected computer” and thereby obtain “information.” 18 U.S.C. 1030(a)(2)(C). Essentially everything on the planet Earth that contains a microchip is a “protected computer”; any data at all counts as “information”; and merely reading information counts as “obtaining” it. As a result, whenever you’re using a computer, the line between computer use that is legal and computer use that can have you arrested and thrown in jail hinges almost entirely on what makes computer use “exceed authorized access.”
The phrase “exceed authorized access” is a defined phrase, but unfortunately the definition is circular. According to 18 U.S.C. 1030(e)(6), “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled to obtain or alter.” That’s not a very helpful definition, if you think about it. Entitlement and authorization mean the same thing. As a result, the definition just says that you exceed authorized access when you have authorization but then you, well, exceed it, by doing something you’re not authorized to do. Gee, thanks. The missing aspect of the definition is what principle governs authorization (or entitlement, if you prefer). Is it just the computer owner’s say so? Does it require the computer owner to put up some sort of password gate that limits authorization? How do you know what you’re entitled to do for purposes of the criminal law?
This is a really hard question, I think. To see why it’s hard, consider the following eight scenarios. Specifically, consider which of the people in these scenarios “exceeded authorized access” to a computer in violation of federal law:
1) A government employee who has access to a sensitive national security database that he is only permitted to use for official reasons instead uses the database in order to collect private data and sell it to the Chinese government.
2) A Social Security Administration employee who has access to a Social Security database that he is only permitted to use for official reasons instead uses the database just to check out private information on friends and others for purely personal reasons.
3) An associate of a consulting company who is told that he can only access his employer’s computer files for work-related reasons instead looks through the employer’s files because he is thinking of leaving to start a competitor business and is looking for ideas of future clients and services.
4) A city employee who is told that he can only access the city’s computer for work-related reasons instead spends five minutes a day surfing the Internet for pornography.
5) A mother who signs up for a MySpace account that the Terms of Service condition on being entirely truthful in setting up a profile instead lies on the profile and uses the MySpace account anyway.
6) A law student who is forbidden by law school policy to access the law school network during class decides to do so anyway to check his e-mail during a particularly boring lecture.
7) The New York Times reports that there is a website set up at www.dontvisitthiswebsite.com that has some incredible pictures posted. But there’s a catch: The Terms of Service of the website clearly and unambiguously say that no one is allowed to visit the website. A reader of the Times wants to see the pictures anyway and visits the website from his home Internet connection.
8) The Volokh Conspiracy announces a new rule that you are only allowed to the visit the blog is your goal in doing so is to further libertarianism. Someone visits the blog to post comments criticizing libertarianism.
So which of these eight scenarios violate the federal criminal law prohibiting exceeding authorized access to a computer? In my experience, almost everyone says that the first scenario does. Most say that the second does, too. Scenarios #3, #4, and #5 draw a mixed reaction. Finally, most people think #6 isn’t a crime, and pretty much everyone agrees it would be utterly ridiculous for #7 or #8 to be a crime.
The problem is that the statute doesn’t provide an obvious way to get to these intuitive results. The intuitive results are based on intuitions of harm. We instinctively think that harmful things should be a crime, while entirely innocuous things shouldn’t be. But the prohibition on unauthorized access does not include a harm element. The statute prohibits exceeding authorized access in the model of a trespass statute, not exceeding authorized access in a way that is likely to cause a lot of harm. (Harm matters to get to the felony provisions, but not the misdemeanor provisions.) All eight scenarios listed above are variations on the same basic theme: In each case, the person was told by the owner/operator of the computer that they were not permitted to use the computer in that way or for that reason – but they did so anyway. All of which raises a profoundly important question: What principle governs when the announced restrictions on using a computer triggers criminal liability?
II. United States v. Rodriguez
The new case, United States v. Rodriguez, involved Scenario #2. Rodriguez was a Social Security Administration employee who used the SSA computers for purely personal reasons. The opinion explains:
From 1995 to 2009, Roberto Rodriguez worked as a TeleService representative for the Social Security Administration. Rodriguez’s duties included answering questions of the general public about social security benefits over the telephone. As a part of his duties, Rodriguez had access to Administration databases that contained sensitive personal information, including any person’s social security number, address, date of birth, father’s name, mother’s maiden name, amount and type of social security benefit received, and annual income.
The Administration established a policy that prohibits an employee from obtaining information from its databases without a business reason. The Administration informed its TeleService employees about its policy through mandatory training sessions, notices posted in the office, and a banner that appeared on every computer screen daily. The Administration also required TeleService employees annually to sign acknowledgment forms after receiving the policies in writing. The Administration warned employees that they faced criminal penalties if they violated policies on unauthorized use of databases. From 2006 to 2008, Rodriguez refused to sign the acknowledgment forms. He asked a supervisor rhetorically, “Why give the government rope to hang me?” To monitor access and prevent unauthorized use, the Administration issued unique personal identification numbers and passwords to each TeleService employee and reviewed usage of the databases.
In August 2008, the Administration flagged Rodriguez’s personal identification number for suspicious activity. Administration records established that Rodriguez had accessed the personal records of 17 different individuals for nonbusiness reasons. The Administration informed Rodriguez that it was conducting a criminal investigation into his use of the databases, but Rodriguez continued his unauthorized use. None of the 17 victims knew that Rodriguez had obtained their personal information without authorization until investigators informed them of his actions.
Based on his conduct, Rodriguez was charged with 17 counts of unauthorized access, convicted, and sentenced to serve a year in prison. On appeal, he argued that his conduct did not exceed authorized access. In an opinion by Judge Pryor, the Eleventh Circuit treated that argument as almost frivolous:
The policy of the Administration is that use of databases to obtain personal information is authorized only when done for business reasons. Rodriguez conceded at trial that his access of the victims’ personal information was not in furtherance of his duties as a TeleService representative and that “he did access things that were unauthorized.” In the light of this record, the plain language of the Act forecloses any argument that Rodriguez did not exceed his authorized access.
In a subsequent part of the opinion, Judge Pryor made clear that “Rodriguez exceeded his authorized access and violated the Act” because “he obtained personal information for a nonbusiness reason.” Rodriguez tried to argue that he should not be held liable because his violation of SSA policy did not cause a greater harm or have a greater scheme to cause harm. But Judge Pryor properly noted that the basic prohibition on unauthorized access did not require a harm:
The misdemeanor penalty provision of the Act under which Rodriguez was convicted does not contain any language regarding purposes for committing the offense. See id. § 1030(c)(2)(A). Rodriguez’s argument would eviscerate the distinction between these misdemeanor and felony provisions. That Rodriguez did not use the information to defraud anyone or gain financially is irrelevant.
III. Commentary: What Are The Limits of Rodriguez?
Just based on its facts, the result in Rodriguez seems sound. In a sense, it is unremarkable. Indeed, the First Circuit noted the same conclusion in dicta in an early case with almost identical facts. See United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997) (noting, in an unauthorized access prosecution of an IRS employee who accessed the IRS database for personal reasons, that the defendant “unquestionably exceeded authorized access” by using the sensitive database for personal reasons). See also Commonwealth v. McFadden, 850 A.2d 1290 (Pa Super. Ct. 2004) (interpreting a state unauthorized access statute to punish use of a sensitive police computer system for personal reasons). And I suspect most people will say that based on the facts of Rodriguez, the result was correct. Rodriguez seems like a really bad guy, and his conduct was a pretty serious privacy violation.
What troubles me is that the Eleventh Circuit’s rationale seems broader than the facts of this one case. The rationale of the opinion suggests that the issue was trivially easy: There was a policy on access; the defendant violated it after being told not to; and therefore he exceeded authorized access. Pretty straightforward. The clarity of the rationale seems to support the view that accessing an employer’s computer for “a nonbusiness reason” after being told not to do so is a crime not just in this case, but for any limitation imposed and for any nonbusiness reason. In other words, while the rationale covers scenario #2, it also seems to cover scenario #3 and #4. And I suspect some readers will read the opinion to support even more of the scenarios – maybe #5, maybe even #6 and #7.
In a recent article, I tried to offer a way out of this mess: constitutional vagueness doctrine, the doctrine used in the Lori Drew case. In my essay, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561 (2010), I argued that defense attorneys should challenge readings of the unauthorized access as unconstitutionally vague in order to force the courts to adopt narrow interpretations. My view is that the requirements of vagueness doctrine should force courts to say that only certain kinds of restrictions on computer use in certain kinds of contexts can constitutionally be used to trigger the criminal prohibition on unauthorized access.
I don’t think such an argument would have worked for the defendant in the Rodriguez case, to be clear. Those facts strike me as pretty close to the core of the prohibition. But I’m worried about the next case. And I don’t think these are idle concerns. Scenarios #3, #4, and #5 are based on real criminal cases charged in the last two years. Scenario #3 is based on United States v. Nosal, 2009 WL 981336 (N.D. Cal. 2009); Scenario #4 is based on State v. Wolf, 2009 WL 1152185 (Ohio App. 2009); and Scenario #5 is based on the Lori Drew case. State and federal prosecutors have shown that they’re willing to take favorable precedents like Rodriguez and run with them through the different scenarios. Given that, it’s troubling to me when a court endorses the government’s theory in a case like this without any apparent realization of where the government is going next or the broader possible impact of the decision. To be clear, I’m not blaming the panel: This was a very strong panel; the opinion was authored by an excellent judge; and the facts of this case were pretty egregious. But I think the issue is a bit more complicated than the opinion suggests, and it’s frustrating when defense attorneys don’t successfully bring out these complications in ways that judges can factor in to their decisions.
Finally, if vagueness doctrine doesn’t help cure some of the problems with Section 1030, it would be nice if Congress revisited the statute to explain just what it wanted to criminalize. But then I wouldn’t hold my breath expecting that to happen any time soon.