We were delighted to continue our conversation on unauthorized access under the CFAA with three esteemed academics: Patricia Bellia, Professor of Law at Notre Dame Law School, Michael J. Madison, Professor of Law at Pitt Law, and James Grimmelmann, Professor of Law at Maryland Law. Professor Paul Ohm of Georgetown Law, who later shared his views on proposed changes to the CFAA during Panel 4, deftly moderated Panel 2.
In fairly stark contrast to our discussion of the CFAA in the context of broad social and psychological norms surrounding computer fraud during Panel 1, Professor Bellia kicked off Panel 2 by discussing her forthcoming article A Code-Based Approach to Unauthorized Access, which, as the name suggests, advocates for a narrower, code-based approach to the CFAA. A code-based approach assesses “authorization” by asking whether someone is bypassing a technical restriction on access.
Professor Bellia first approached the core issue of “unauthorized access” by asking a descriptive question: How can we really understand what the courts are doing? Recent opinions seem to characterize themselves as “narrow” or “broad.” She believes that the tides have shifted, as more and more courts are identifying their approaches as taking a “narrow” view of the CFAA. She sees five different approaches that have been taken by courts: those of agency, norms of access, policy, contract, and code-based. Professor Bellia wants to provoke courts to think more critically about which approach they are adopting. She also identifies a question that she believes has not yet been asked: What if a policy or contract tries to condition the initial access on the user’s purpose, e.g. what they intend to do with the information? She predicts that some courts would, despite claiming to take a “narrow” approach, find a valid restriction there.
Chiming in on our earlier discussion of the relation of consent to authorization of access, Professor Bellia moved on to a normative question: “If this is all about consent, shouldn’t we just be asking how clear it is to the user that their conduct was improper?” In advocating for the code-based approach, she argues “code is a pretty clear indicator of the scope of consent,” because it can clearly signal the boundaries of access.
Further, Professor Bellia asks: If authorization is based on consent, consent as to what? Although commentators generally assume that “access” is any transmission or use of the system, that broad interpretation of “access” may not be right, if we consider the legislative intent behind the CFAA. The computers that existed in 1984, when the CFAA was enacted, were not ones that a member of the general public could simply transmit a command to. In that vein, the language of the CFAA may signify that Congress did not intend for “access” to include “transmissions”—why would the computer damages provision says “transmission that causes damage” if we could just call that “access”?
Finally, Professor Bellia opined that layering the CFAA over existing state causes of action amplifies the uncertainties in interpretation, and the code-based approach lends more clarity to those laws than the other approaches.
Professor Madison shifted the conversation to an analysis of the CFAA through his perspective as a copyright scholar, as shared in his paper Authority and Authorship, which presents conceptual, theory-oriented points about information, information resources, and how “access” in that context is understood in a broad sense.
Professor Madison began by stating “what is perceived to be open and what is perceived to be closed” by computer users should be congruent with what is open and what is closed in the legal sense. The Internet can have a “physicalist” character, lending itself to metaphorical affinity with physical ideas of place. He has found that there is a kind of latent conceptual framework beneath the language and the law of the CFAA that is grounded in the metaphorical physicalist user experience, that seems to be understood by users across many different demographics and even different cultures. Thus, as network computer information can be seen as a kind of property resource; boundaries and borders of that resource are only usable in a legal sense if they are salient and visible in a social and cultural sense. That makes the legal shape of the Internet align with user experience and expectations.
Professor Madison’s second point considers the Internet as a resource, importing a conceptual structure of resource management, where understanding the users’ relation to the resource is as important as understanding the creators’ or owners’ relation to the resource. Through this lens, we can more fully determine what “authorization” and “access” truly do or should mean.
Finally, Professor Madison makes the point that copyright is only starting to figure out that “authorship” necessarily embraces a corresponding idea of “audienceship,” and that you cannot have the former without the latter. This translates to the CFAA conversation, because the idea of “authority” in the CFAA requires and depends on an interpretive construct of the audience, or the user, on the other half of the equation. He highlights the idea that we not only need to understand “authority,” but also who the audience is, and how the interpret and understand what they see as “authority.” He finds that the normative aspect of this conversation is critical: What kind of Internet do we want to have? What counts as good or bad behavior related to this resource? At the end of the day, for Professor Madison, this is a normative question.
Professor James Grimmelmann’s paper Consenting to Computer Use analyzes authorization under the CFAA as a question of consent. By applying Peter Weston’s taxonomy of consent, Professor Grimmelmann found that expressive factual consent (either express or implied), is particularly effective in defining CFAA authorization. This is in contrast to attitudinal consent, which does not practically make sense in the CFAA context. Professor Grimmelmann acknowledges that there are certain cases, such as U.S. v. Nosal, in which expressive factual consent does not equate to prescriptive legal consent. However, there are cases such as Craigslist v. 3 Taps which are the opposite of Nosal; there is no factual consent, but the court may find imputed legal consent granted by the owner simply by running an open-access website. Through those cases, constructive consent is also implicated by the CFAA. As Professor Grimmelmann sees it, policy reasons guide the analysis. Certain policy judgments, he explained, are undoubtedly necessary where there is ambiguity as to the presence of factual consent. In these instances, the ambiguity of the underlying factual consent means that the court can pass off policy judgments about liability under legal fictions of consent. Thus, “authorization” inherently requires construction by the courts, which is delegated to them by the CFAA, and not just interpretation or textual analysis.
Advocating for deeper, constructive analysis of “authorization” under the CFAA as a question of consent, Professor Grimmelmann left the audience with this final statement: “The CFAA raises hard legal questions, and it does no good to assume they can be answered with purely doctrinal tools.”
Following the panelists’ presentations, Professor Ohm kicked off our Q&A by asking if it makes sense to break the property focus, and think about authorization in the commons context, where consent of the owner may be the wrong lens. Professor Grimmelmann responded that a complete departure from property law may not be necessary to reconcile those ideas, as traditional property law is not so simple – there is a commons doctrine there as well, the nuances of which may be brought to the online context. Professor Bellia explained that the difficulties of applying the property lens to the CFAA are why it’s so important for owners to signal what is or is not permitted, which can easily be done through the code-based approach.
An audience question then shifted the conversation to civil application of the CFAA under 1030(g), which had been briefly but not thoroughly discussed after David Bitkauer’s opening remarks. He asked: Why don’t we just amend the civil liability section out of the CFAA? Or is there value to having parallel civil liability? Professor Madison pointed out that property law analogies lend themselves to allowing for civil liability under the CFAA, and another audience member chimed in to say that the effective use of the civil injunction provision within 1030(g) by private parties also points to its utility and necessity.
This summary was authored by Law Review member Keturah Taylor.