On April 11th, the Third Circuit Court of Appeals reversed the conviction and 41-month prison sentence of a Computer Fraud and Abuse Act (CFAA) defendant, holding that he was tried and convicted in an improper venue.  U.S. v. Auernheimer, No. 13-1816 (3rd Cir. Apr. 11, 2014).  Though we usually do not post on procedural issues like these, we certainly post on substantive CFAA developments.

In footnote 5 of its opinion, the court said that the government failed to prove that defendant accessed the network “without authorization, or in excess of authorization” under New Jersey’s state computer-crime law.  That is the same language in the CFAA over which federal courts have been split for the last several years regarding employee liability for misuse of company files.  The Third Circuit’s footnote indicates that it is leaning toward the narrower, pro-employee / pro-defendant interpretation, espoused by the Fourth and Ninth Circuits, which prohibits CFAA liability for employees who merely abuse their otherwise legitimate access to company files.

The defendant in Auernheimer (a/k/a “Weev”) was convicted of “slurping,” which, at least in this case, involved the automated scraping of user email addresses from their login screens on their computer tablets.  Such slurping and scraping did not involve “hacking,” or circumventing a code- or password-based barrier to a user account or network.  Rather, the slurpers merely found loopholes in public-facing login screens, and gathered the username email addresses which the account providers unintentionally “published.”  In other words, slurping did not involve “accessing” an account “without authorization” from the provider or accountholder.  It merely involved scraping together information which was publicly available, albeit inadvertently from the provider’s and user’s standpoint.

After defendant and his “co-conspirator” gathered 114,000 email addresses and went to the press with this alleged “security flaw,” the New Jersey U.S. Attorney’s Office obtained a two-count indictment against them for conspiracy to violate the CFAA, and for violation of New Jersey’s computer crime statute.  Defendants objected to venue in New Jersey, citing the facts that they “slurped” from their homes in California and Arkansas, and that the cell network’s affected servers were located in Texas and Georgia.  The district court overruled defendants’ objections, and a jury eventually convicted them on both counts.  The district court sentenced Weev to 41 months in prison.

In reversing the conviction, the Third Circuit said that venue in criminal cases implicated constitutional rights, which were violated in this case by defendants’ being tried and convicted so far from home and where they allegedly broke the law.  In pointing out that neither defendant “accessed a computer in New Jersey,” the court noted that the government failed to prove that defendants’ slurping of email addresses amounted to access “without authorization, or in excess of authorization” under the state cybercrime law.  (P. 12, n. 5).  Defendants merely wrote a program which scraped together publicly available information, the access of which could not be unauthorized.

This reasoning indicates that the Third Circuit is leaning toward the pro-employee, pro-defendant interpretation of the CFAA’s “without authorization” and “exceeding authorization” provisions.  The Fourth and Ninth Circuit Courts of Appeals have adopted that approach, holding that the CFAA does not apply to employees who copy files and send them to or use them for a competitor.  The access itself was not unauthorized, even if the subsequent file use was.  Thus, no liability under the statute’s plain language.  The Fifth, Seventh and Eleventh Circuits take the opposite stance; that employees who use their otherwise authorized access to company computers can be liable under the CFAA for their subsequent misuse of the files on those computers.  Under normal agency law, employees have no authorization to use company files against the company.  Their accessing the company’s computers for that purpose, those courts held, violated the CFAA.

Granted, the dicta reasoning is not binding on district courts in the Third Circuit, or on the Third Circuit itself.  But the court’s interpretation of the very same CFAA language over which other federal courts have issued conflicting decisions for the past two decades again points up the need for the Supreme Court to resolve the split, or for Congress to amend the statute.  The Obama administration lobbied the Senate in 2011 to adopt the Fifth, Seventh, and Eleventh Circuits’ pro-employer position, but nothing yet.  As it stands, whether a disloyal employee may be prosecuted or sued under the CFAA depends on the federal circuit in which he or she works.