The broad scope of the CFAA is continuously being challenged among the legal community for ascribing criminal liability to otherwise harmless activities with computers and on the Internet. But why isn’t anyone complaining about the even broader state level computer crime statutes?
Let’s take a moment to talk about Domanik Green. About a year ago, fourteen-year old Domanik sat down at a computer in his middle school in Florida, and with a generic administrative password that was commonly known throughout the school, he changed his teacher’s computer wallpaper to a picture of two men kissing. This childish and immature prank, which Domanik surely thought was funny at the time, resulted in a felony charge under Florida’s Computer-Related Crimes statute. The language of the statute provides felony liability for anyone who:
815.06 (2)(a) Accesses or causes to be accessed any computer, computer system, computer network, or electronic device with knowledge that such access is unauthorized.
The statute does not require the offender to actually do anything to the computer system, and mere unauthorized access is enough to be a punishable offense. Surely most people appreciate the absurdity of an eighth-grader being arrested and charged with a criminal felony for playing a stupid prank that did not result in any injury, loss, or harm.
It would be unfair to exclusively pick on Florida for this absurd result. Every single state has its own version of the CFAA, each as broad as the next, including California—home base of the Ninth Circuit Court of Appeals that sparked the circuit split over the interpretation of the CFAA’s scope of liability with U.S. v. Nosal. Similar to Florida, California’s computer crime statute casts a remarkably broad net for actions that would be deemed in violation of the law. The statute specifically reads:
[A]ny person who commits any of the following acts is guilty of a public offense … (c)(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.
Just like in his home state of Florida, Domanik would be held equally as liable under California’s statute because he altered the wallpaper on his teacher’s computer, and knowingly did so by accessing the school’s computer system without express authorization.
Without Permission v. Without Authorization
The main debate over the CFAA, and the central contention of the federal circuit split, is the interpretation of “exceeds authorized access.” In regards to computer passwords and using another individual’s password to access a computer that you would otherwise not be authorized to access, the Ninth Circuit opined in Nosal that using another individual’s password would amount to a mere violation of a contractual user agreement, and therefore should not create criminal liability within the scope of “exceeds authorized access.” However, in a curious decision handed down by the Ninth Circuit in August of 2015 (more than three years after Nosal was decided), the court said that use of another individual’s valid password and/or login credentials would amount to “access […] without permission” under the California computer crime statute.
The difference here between the California statute and the CFAA is that the California statute uses the language “knowingly accesses and without permission” as opposed to “exceeds authorized access.” In my unqualified, unlicensed, third-year law school student opinion, the scope of the California statute only covers instances where no authorization exists whatsoever. This scope is more similar to the CFAA’s “without authorized access” provision, which is included in the part of the CFAA that Nosal decided would not include the use of another individual’s password.
To clarify, according to the Ninth Circuit, using another individual’s password would not constitute “accesses [of] a computer without authorization or exceeds authorized access” as prescribed by the CFAA. However, the court simultaneously maintains that the use of another individual’s password would constitute “accesses […] without permission” to fall within the scope of the California statute. Am I the only one who thinks this is rather contradictory?
I encourage readers to share their thoughts.