After the opening remarks by David Bitkower, The George Washington Law Review Symposium’s first Panel addressed the question: “What is Unauthorized Access?” The name of the panel references the language of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a), which prohibits anyone from “access[ing] a computer without authorization or exceeding authorization.” An enduring question regarding the CFAA is how to define “unauthorized access.” Matthew Kugler, Aditya Bamzai, and Josh Goldfoot discussed two potential approaches to resolving that question, while Ric Simmons acted as moderator.
Mr. Kugler, Law Clerk to Judge Richard Posner of the Seventh Circuit, spoke on his article “Measuring Computer Use Norms.” Mr. Kugler, grappling with the lack of definition concerning unauthorized use of computer systems, pursued a norm-based theory of authorization. To determine these norms, Mr. Kugler designed a study to measure the beliefs of adult Americans regarding a variety of computer misuse. He began by outlining the design of his study before examining his findings. A commercial survey company selected a representative sample of adults in the United States. The final sample contained 593 participants, the vast majority of whom were American citizens. The participants answered questions concerning a person engaged in some sort of activity on a computer. The participants rated the extent to which the person had authorization to use the computer in such a way, the extent to which it was morally blameworthy, and whether and how the actor should be punished.
Due to limited time, Mr. Kugler was only able to share a portion of the results from his study. Possibly the most common instance of computer misuse is an employee using a work computer for personal matters after being informed of the computer use policy forbidding such action. Although participants found all violations of the policy were unauthorized, the results showed a clear difference between an employee “slacking” at work and an employee using a company computer to obtain trade secrets or customer information: the latter was thought to be much more unauthorized. These results support the notion that norms surrounding “authorization” and computer use align with the CFAA’s imposition of felony punishments: there is a clear sensitivity to the potential harm caused by the unauthorized access. Interestingly, the participants did not differentiate substantially between the same unauthorized action on a government computer versus a private company computer. The participants also made no substantial differentiation between the way in which an employee was informed of the computer policy.
The results that Mr. Kugler found most shocking involved Wi-Fi access. The scenarios presented to the participants were accessing a neighbor’s Wi-Fi network. There was a clear willingness of participants to punish an individual who had access to even an unsecured Wi-Fi network. As Mr. Kugler emphasized, this exact example has been given as an obvious overreach of CFAA authority: no prosecutor or legislator has suggested that this action that should be punishable by law.
Josh Goldfoot and Aditya Bamzai, of the Department of Justice’s National Security Division of the Department of Justice (not speaking on behalf of the Department), presented their article, “A Trespass Framework for the Crime of Hacking.” Mr. Bamzai presented first, reaffirming that much of the debate surrounding the CFAA centers around the terms “unauthorized” and “access”. It is generally believed that Congress, in using the term “unauthorized access,” intentionally borrowed a term of art from the crime of physical trespass and thus intended to use the same framework for computer trespass. The article rejects the idea that computer trespass departs from the analytical framework for physical trespass and proposes the following: A defendant commits a computer trespass if she intrudes on someone else’s property (the computer) when she knew or should have know of an express or implied prohibition on entry that is material or related to access.
Mr. Bamzai continued with a series of comparisons to illustrate the framework. For example, a website can condition usage on an age requirement just as a bar conditions entry on photo identification proving the entrant is over 21 years of age. Admittedly, the case of United States v. Nosal, where an employee used an employer’s computer for personal use, is more difficult to put into context as few company policies prohibit employees from using company physical premises for personal use, but the analytical framework is still effective. He ended his time with two proposed areas of further research: (1) If the same analytical framework applies to computer and physical trespass, should the resolutions be the same? And if not, why? (2) Should the merits of a vagueness challenge to the CFAA be the same as to physical trespass statutes?
Mr. Goldfoot discussed the mental state required by the CFAA: intent. The government could prove the intention of the defendant to gain unauthorized access in several ways. A code-based barrier test, presents a theoretical issue. Because computers do what we tell them to do, there is no true circumvention, even when a hacker accesses a password-protected computer. Thus the normative concept of authorization is deemed more important: the defendant understands that the owner of the computer intends to exclude her if there is a password required for access. As an illustrative point: in the 2003 Senate Judiciary Memo Scandal, there was no password to access these memos, so under a code-based test, that would not have been unauthorized access, despite the fact that the memos were not meant to be viewed. A human language policy does not present the same problem: if a defendant is told that she is not permitted access to the computer, the lack of authorization is as clear as a lawyer’s cease and desist letter.
Mr. Simmons followed the presentation with questions to the panelists. In particular, the audience was interested in how to avoid prosecuting innocent-minded people when the norms surrounding authorized access to computer are in flux. Mr. Goldfoot answered that the intentional requirement built into the CFAA is sufficient protection. Mr. Kugler suggested that evolving norms will settle in this area, as they have in others, probably in twenty years or so.
For more on this topic, look for Kugler’s article, “Measuring Computer Use Norms,” and Goldfoot & Bamzai’s article, “A Trespass Framework for the Crime of Hacking,” in The George Washington Law Review, Symposium Issue 84:6.
This summary was authored by Law Review member Julia Duke.