A superseding indictment returned by a federal grand jury
charges Kevin Cave “with intentionally exceeding authorized access to a
protected computer for private financial gain in violation of
§ 1030(a)(2)(C) and (c)(2)(B)(i).” U.S. v. Cave, 2013 WL 3766550
(U.S. District Court for the District of Nebraska 2013). He filed a motion to dismiss the
superseding indictment, claiming it “fails to state an offense.” U.S. v.
Cave, supra. The motion would have
been made under Federal Rules of Criminal Procedure Rule 12(b)(3)(B).
The U.S. District Court judge who has the case referred the
motion to a U.S. Magistrate Judge to review it and decide whether it should be
granted; pursuant to the usual procedure, the Magistrate Judge considered the
motion, and held a hearing on the matter. U.S.
v. Cave, supra. He issued a Report
and Recommendation (R&R) that was reviewed by the district court judge, who
decided whether to accept the recommendation the Magistrate Judge made. U.S. v. Cave, supra.
The R&R says Cave was “an officer with the Omaha Police
Department from September 23, 2002, until September 7, 2012.” U.S. v. Cave, supra. As an OPD officer,
Cave was
Train[ed] on the use of the Nebraska
Criminal Justice Information System database (NCJIS). . . . NCJIS
allows approved agencies to link to databases that provide information
including criminal history information, driver's license information,
employment information, information from penal institutions, and probation and
parole information. . . .
Before accessing NCJIS, approved agencies
must sign a memorandum of understanding (MOU) acknowledging the confidentiality
of the information found on NCJIS. . . . Approved agencies then train users
within the agency on these regulations. . . . Information found
within NCJIS is for use by law enforcement personnel within their official
capacity only and is not to be made public. . . .
U.S. v. Cave, supra. The R&R also explains that OPD is an
agency authorized to
use NCJIS. . . .
Cave completed training and was authorized to use NCJIS on January 24, 2008,
and remained authorized until September 7, 2012. . . . The
government alleges that beginning on March 2, 2010, until August 21, 2012, Cave
conducted unauthorized NCJIS database searches in an effort to locate certain
individuals and disseminated the information to car dealerships attempting to
repossess vehicles. . . .
The government alleges the car
dealerships paid Cave up to $200.00 for each lead and he received a total of
about $16,050.00. . . . The government alleges Cave
violated 18 U.S. Code § 1030(a)(2)(C) and (c)(2)(B)(i) by exceeding
his authorized access to NCJIS and obtaining information that he then made
public for personal financial gain. . . .
U.S. v. Cave, supra.
In his motion, Cave argued that the superseding indictment
should be dismissed because it `fails
to state an offense for the reason the government has pled facts tending to
show that [he] misappropriated information, not that he was without
authorization or exceeded his authorization in accessing such information.’ . .
. Cave contends he did not `exceed authorized access’ within the plain meaning
of the phrase under [§1030]. . . . Cave also contends that
legislative history leans towards a narrow interpretation of the phrase
`exceeds authorized access’ which would exclude the misuse of information. . .
.
U.S. v. Cave, supra.
In earlier posts, I have noted that 18 U.S. Code § 1030(a)
creates two “access” crimes: the “outsider” crime (access a computer without
being authorized to do so) and the “insider” crime (being authorized to access
a computer, the person exceeds the scope of their authorization to do so). In other posts, I have noted that the
applicability of the first crime is usually factually and legally
straightforward, while the applicability of the second crime, the “insider”
crime, can be more challenging.
In his legislative history argument, Cave claimed that “looking
into legislative history behind [18 U.S. Code § 1030] would support” a “more
narrow interpretation of the phrase `exceeds authorized access’”. U.S. v. Cave, supra. More precisely, he claimed “the original
purpose of the statute" was "`to prohibit electronic trespassing, not
the subsequent use or misuse of information.’” U.S. v. Cave, supra. In his
R&R, the Magistrate Judge explained that in in 1986, the U.S. Senate
changed the
wording of [§1030]. In Senate
Report No. 99–432, the Senate explained, `Section 2(c) substitutes the phrase
“exceeds authorized access” for the more cumbersome phrase in present 18
U.S. Code § 1030(a)(1) and (a)(2), “or having accessed a computer with
authorization, uses the opportunity such access provides for purposes to which
such authorization does not extend”’. The Committee intends this change to
simplify the language[.]. S. Rep. No. 99–432, at *9 (1983). . . .
Cave contends that . . . the
Senate meant to eliminate coverage of the phrase, `or having accessed a
computer with authorization, uses the opportunity such access provides for
purposes to which such authorization does not extend.’ . . . Cave asserts that
because the coverage of this phrase is eliminated, if Congress had intended
this area to be covered Congress would have included coverage under the
statute.
U.S. v. Cave, supra.
The Magistrate Judge was not convinced. He noted that “[i]n the 1986 Senate
report, the Senators stated that the reasoning behind changing the language was
only `to simplify the language’ and not to change the scope of the coverage as
alleged by” Cave. U.S. v. Cave, supra. He then found that “because the intent of the
legislature as to § 1030(a)(2) was only to simplify the
language, the scope of coverage was not changed, therefore using access for
purposes to which authorization does not extend remains within the scope of” 18
U.S. Code § 1030(a)(2)(C). U.S. v. Cave,
supra.
The Magistrate Judge next took up Cave’s other argument,
i.e., that the superseding indictment should be dismissed because its factual
allegations did not show that he exceeded his authorized access to the NCJIS
system. U.S. v. Cave, supra. He began by noting that 18 U.S. Code § 1030
provides that whoever
`intentionally accesses a computer
without authorization or exceeds authorized access and thereby obtains . . . information
. . . shall be guilty of a felony.’ The phrase `exceeds authorized access’ . .
. means, `to access a computer with authorization and to use such access to obtain
or alter information in the computer that the accesser is not entitled so to
obtain or alter.’ 18 U.S. Code § 1030(a)(2)(C).
`A person is “without authorization” when
an individual either (1) has never been granted access to the computer yet
obtains access to the computer without the access-grantor's permission, or (2)
has been granted access as the access-grantor's agent but loses authorization
to access the computer when the agent breaches his duty of loyalty.’ NCMIC
Fin. Corp. v. Artino, 638 F.Supp.2d 1042 (U.S. District Court for the Southern District of Iowa 2009). `Both inquiries focus on a person's intent at
the time of accessing the computer, not on a person's subsequent
misappropriation of the information or thing of value obtained from the employer's
computer.’ NCMIC Fin. Corp. v. Artino, supra.
U.S. v. Cave, supra.
The Magistrate Judge’s R&R then reviewed the arguments
both parties made on this issue, beginning with Cave, who argued that
since he at no time altered any
information on the database or at no time did he lack the authorization to
obtain information from NCJIS, he did not `exceed authorized access’ according
to the statute. . . .. Additionally, Cave asserts he was granted full access to
the information on the database, thus he did not exceed his authorized use.
U.S. v. Cave, supra.
The Magistrate Judge then noted that the prosecution argued
that Cave did not have
authorization
to access the information to begin with because the search was done for an
improper purpose. . . . The government does not allege that Cave
conducted a proper search and then misused the information; instead the
government alleges that the search was improper from the start. . . . The
government contends that Cave's searches were not connected to any legitimate
law enforcement activity, and therefore were not authorized. . . .
U.S. v. Cave, supra.
In the R&R, the Magistrate Judge then found that when
OPD obtained access to
NCJIS, OPD signed a MOU. The MOU specifically
stated use of NCJIS is `for the purpose of improving public safety and
improving the ability of criminal justice agencies in the performance of their
official duties.’ . . . After OPD signed the MOU and obtained access to NCJIS,
OPD trained their officers on the rules and regulations prescribed in the MOU,
specifically addressing regulations pertaining to access and disclosure and the
confidential nature of the information found on NCJIS. . . .
Cave allegedly accessed confidential
information available through NCJIS and provided such information to car
dealerships attempting to repossess vehicles. . . . In return, Cave
allegedly received money. . . . OPD granted Cave access to NCJIS
for the limited purposes set forth in the MOU, specifically, for the purpose of
`improving the ability of criminal justice agencies in the performance of their
official duties.’ Cave's actions, if proven, fit within the definition of
`exceeds authorized access’ because accessing confidential information for
personal financial gain is not within the aforementioned purpose.
U.S. v. Cave, supra. The Magistrate Judge therefore recommended to
the U.S. District Court judge that the motion to dismiss be denied. U.S. v.
Cave, supra.
Cave filed an objection to the R&R with the District
Court judge, claiming “the magistrate judge's interpretation `adds the new
element of access with “bad intent” and ignores the plain meaning of the words
and phrases employed in the statute.” U.S.
v. Cave, supra. The judge did not
agree:
Contrary to Cave's argument, the
magistrate judge's analysis does not add an element of intent to [§1030] it
merely acknowledges the realities of Cave's authorization under the memorandum
of understanding. In the R&R, the magistrate judge defines the outer
limits of the authorization NCJIS and OPD granted the defendant -- not the
limits of the statute. Filing No. 30 at 5 (`OPD granted Cave access to NCJIS
for the limited purposes set forth in the MOU . . . accessing confidential
information for personal financial gain is not within the aforementioned
purpose’).
U.S. v. Cave, supra.
The judge then pointed out that, as the prosecution pointed
out, the United States
Courts of Appeals for the First, Fifth,
Seventh, and Eleventh Circuits have come to the conclusion that a person
granted access for limited purposes exceeds authorization when he or she
pursues other purposes. See, e.g., U.S. v. Czubinski, 106 F.3d 1069 (U.S. Court of Appeals for the 1st Circuit 1997) (`Czubinski
unquestionably exceeded authorized access’ when he used a database . . . for an
unauthorized purpose); U.S. v. John, 597 F.3d 263 (U.S. Court of Appeals for the 5th Circuit 2010) (`“exceeds authorized access” may include exceeding the
purposes for which access is “authorized”’); International Airport Centers, LLC v. Citrin, 440 F.3d 418 (U.S.Court of Appeals for the 7th Circuit 2006); (`Citrin's breach of his
duty of loyalty terminated his agency relationship . . . and with it his
authority to access the laptop'); U.S. v. Rodriguez, 628 F.3d 1258 (U.S. Court of Appeals for the 11th Circuit) ([government’s] policy . . . is that use of databases to obtain
personal information is authorized only when done for business reasons . . . `the
plain language of [1030] forecloses any argument that Rodriguez did not exceed
his authorized access’ by accessing the database for other reasons).
U.S. v. Cave, supra. He therefore entered an order denying the
motion to dismiss. U.S. v. Cave, supra.
No comments:
Post a Comment