Monday, September 21, 2009

"Authorization" Revisited

Last November I did a post on U.S. Court of Appeals for the Seventh Circuit’s opinion in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (2006). I disagreed with several things the Seventh Circuit did in the case, one of which was to construe the “exceeding authorized access” crime very broadly (and erroneously, IMHO).

Last week the U.S. Court of Appeals for the Ninth Circuit issued an opinion that dealt with that same issue but, I think, did a much better job of parsing the “exceeding authorized access” element of the crime. The opinion issued in LVRC Holdings, L.C.C. v. Brekka, 2009 WL 2928952 (2009). You can find the opinion here. You can locate it by the title of the case or by using the docket number (07-17116).

As is evident from the title of the case, it’s a civil suit. Here, according to the Court of Appeals, are the facts that led LVRC to sue Brekka:

LVRC operates Fountain Ridge, a residential treatment center for addicted persons, in Nevada. . . . LVRC retained LOAD, Inc. to provide email, website, and related services for the facility. . . .

In April 2003, LVRC hired Brekka. . . . Part of his duties included conducting internet marketing programs and interacting with LOAD. . . .

Brekka . . . commuted between Florida, where his home . . . [was] located, and Nevada, where Fountain Ridge . . . [was] located. Brekka was assigned a computer at LVRC, but . . . emailed documents he obtained or created in connection with his work for LVRC to his personal computer. LVRC and Brekka did not have a written employment agreement, nor did LVRC promulgate employee guidelines that would prohibit employees from emailing LVRC documents to personal computers.

In June 2003, Brekka [emailed] LOAD's administrator, Nick Jones, requesting an administrative log-in for LVRC's website. Jones sent an email with the user name, `cbrekka@fountainridge.com’ and password, `cbrekka,’ to Brekka's work email, which Brekka downloaded onto his LVRC computer. By using the administrative log-in, Brekka gained access to information about LVRC's website, including the usage statistics gathered by LOAD. Brekka used those statistics in managing LVRC's internet marketing.

In August 2003, Brekka and LVRC entered into discussions regarding . . . Brekka purchasing an ownership interest in LVRC. . . . Brekka emailed . . . LVRC documents to his personal email account . . . [that] included a financial statement for the company, LVRC's marketing budget [and] admissions reports for patients at Fountain Ridge. . . . On September 4, Brekka emailed a master admissions report, which included the names of past and current patients at Fountain Ridge, to his personal email account.

In mid-September, negotiations regarding Brekka's purchase of an ownership interest in LVRC broke down, and [he] ceased working for LVRC. Brekka left his LVRC computer at the company and did not delete any emails . . . so the June 2003 email from Nick Jones, which included the administrative user name and password, remained on his computer.

After Brekka left . . ., other LVRC employees had access to Brekka's former computer, including Brad Greenstein, a consultant who was hired shortly before Brekka left and who assumed many of Brekka's responsibilities. At some point after Brekka left, the email with the administrative log-in information was deleted from his LVRC computer.

On November 19, 2004, . . . Jones noticed someone was logged into the LVRC website using the user name `cbrekka@fountainridge.com’ and was accessing LVRC's LOAD statistics. Jones contacted Greenstein about the. . . log-in. . . . Greenstein instructed Jones to deactivate the `cbrekk’” log-in, and Jones did so. . . . .

LVRC Holdings LCC v. Brekka, supra. LVRC filed a federal lawsuit against Brekka, claiming he violated 18 U.S. Code § 1030 “by accessing LVRC's computer `without authorization,’ both while Brekka was employed at LVRC and after he left the company.” LVRC Holdings LCC v. Brekka, supra.

As I’ve noted in earlier posts, § 1030 is the basic federal computer crime statute. It outlaws a number of activities, including accesing a computer without being authorized to do so or by exceeding the scope of one’s authorized access. As I’ve noted, although § 1030 is a criminal statute, it also creates a civil cause of action for those injured by conduct violating the statute’s substantive provisions. 18 U.S. Code § 1030(g).

LVRC’s suit alleged that Brekka committed two of the § 1030 crimes – the § 1030(a)(2) crime and the § 1030(a)(4) crime. Section 1030(a)(2) makes it a crime to intentionally access a computer without authorization or by exceeding authorized access and thereby obtain information from a protected computer, i.e., a computer the use of which affects interstate or foreign commerce. (That essentially means any computer, especially any computer linked to the Internet.) Section 1030(a)(4) makes it a crime for someone who acted “knowingly and with intent to defraud” to access a computer without authorization or by exceeding the scope of their authorized access in order to further the intended fraud and obtain anything of value.

Brekka moved for summary judgment on LVRC’s claims. As Wikipedia explains, when someone moves for summary judgment under U.S. law, they are asking the court to throw the entire case or certain claims in the case out because (i) there are no genuine issues of material fact to be resolved at trial and (ii) when the law is applied to the facts that are not in dispute, the party moving for summary judgment should prevail.

For LVRC to prevail on its § 1030(a)(2) claim and/or on its § 1030(a)(4) claim, it had to be able to prove, at trial, that Brekka accessed LVRC computers either (i) without being authorized to do so or (ii) by exceeding the scope of his authorized access to them. The federal district court judge who granted Brekka’s motion for summary judgment found that LVRC couldn’t prevail on either claim because LVRC had not produced any

evidence demonstrating Brekka accessed an LVRC computer or any . . . documents on the computer `without authorization’ . . . when he emailed documents to himself . . . before he left the company. The [judge found] Brekka had `authorization’ to access the LVRC computers . . . because he was employed by LVRC at the time he emailed documents to himself . . . and there was no evidence [he] agreed to keep the emailed documents confidential or to return or destroy [them] upon the conclusion of his employment. [The judge also] held LVRC had not put forth evidence from which a . . . jury could find Brekka logged into the LVRC website after leaving [its] employ.

LVRC Holdings LCC v. Brekka, supra. LVRC appealed, buttunfortunately for LVRC, the Court of Appeals agreed with the district court judge.

LVRC tried to use the Citrin decision to buttress its claim that Brekka acted without/in excess of his authorization to access the LVRC computers. It claimed an employee loses “authorization to use a company computer when the employee resolves to act contrary to the employer's interest. In Citrin, the [Seventh Circuit] held an employee's authorization to access a computer ended for purposes of § 1030 when the employee violated his duty of loyalty to his employer.” LVRC Holdings LCC v. Brekka, supra.Citrin was that the employee breached his duty of loyalty when he accessed his employer’s computer and erased data, in furtherance of his plan to start a competing business. LVRC seems to have claimed that Brekka had similar intentions when he accessed its computers.

The Ninth Circuit Court of Appeals noted that if it applied the Citrin holding to the LVRC case, Brekka “would have breached his duty of loyalty to LVRC when he allegedly resolved to transfer key LVRC documents and information to his personal computer to further his own competing business, and at that point his authorization to access the computer would have ended.” LVRC Holdings LCC v. Brekka, supra. This Court of Appeals, however, declined to follow Citrin for several reasons.

One was that § 1030 is fundamentally a criminal statute and “`ambiguity concerning the ambit of criminal statutes should be resolved in favor of lenity.’” LVRC Holdings LCC v. Brekka, supra. The rule of lenity is based on the premise that people should not have to guess at what a criminal statute forbids, which means courts should avoid expanding the scope of a statute unless such an expansion is clearly supported by the language of the statute or the legislative history surrounding its adoption. Neither was true here.

The Ninth Circuit found that “[n]othing in [§ 1030] suggests that a defendant's liability for accessing a computer without authorization turns on whether the defendant breached a state law duty of loyalty to an employer”. The court found, instead, that the whether an employee’s actions were authorized “depends on actions taken by the employer. . . . If the employer has not rescinded the defendant’s right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law . . . duty to the employer would constitute” a crime under § 1030. LVRC Holdings LCC v. Brekka, supra.

The Ninth Circuit therefore held that in deciding whether Brekka accessed LVRC’s computers without authorization/by exceeding authorized access, it had to apply the plain language of § 1030. It found that because there was “no dispute that Brekka was given permission to use LVRC’s computer and that he accessed documents or information to which he was entitled by virtue of his employment”, Brekka did not access the LVRC computers without authorization in violation of § 1030. LVRC Holdings LCC v. Brekka, supra. The Ninth Circuit affirmed the district court’s granting Brekka summary judgment on LVRC’s claims, which meant the case was over.

I think the Ninth Circuit got it right. As I noted in an earlier post, the Seventh Circuit’s position in Citrin -- that we can consider employee disloyalty in deciding whether or not someone exceeded authorized access or acted without authorization – distorts what the § 1030 “access” crimes are about. They are essentially burglary or trespass crimes; they criminalize “going somewhere” in a computer you’re not supposed to be. "Access" crimes are about property control; they let the owners of computers set boundaries which define who can legitimately “enter onto” and make use of computer property, just as "trespass" crimes let owners of real property define who can legitimately enter onto their physical property.

The only legitimate inquiry in a § 1030 “access” crime case, then, is whether the defendant intentionally or knowingly “entered onto” computer property without being authorized to do so. Now, the § 1030 crimes all include an additional element: that I somehow cause damage as the result of my unauthorized access. This element, however, is separate and distinct from the issue of unauthorized access. In analyzing a § 1030 "access" charge, a court must first decide if the person accessed a computer without being authorized to do so; if they did, and only if they did, the court then decides if they caused damage by gaining such access.

It's erroneous to conflate the “access” and “damage” elements of these crimes. As I noted in an earlier post, if we want to incorporate the employee’s “evil purpose” into a criminal charge (or a civil claim) under the § 1030 provisions, we can do that by adding a new crime . . . the faithless employee who abuses or ignores authorization crime. Doing that would be consistent with the rule of lenity because it would put people on notice that faithlessness can bring added civil or criminal liability.


No comments: