|Computer Fraud & Abuse Act|
- Crime / CFAA |
- - Govt Computer
- - Protected Computer
- - Pri Right Action
- - Passwords
- - Blackmail
- - Damage
- Theft of Info
- - Classified Info
- - Govt Info
- - Info from Protected Computers
- Data Retention
- - White House
- - DHS
- - NIST
- - NTIA
- - FCC
Derived From: Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Laws, Congressional Research Service (Dec. 27, 2010)
Paragraph 1030(a)(3) condemns unauthorized intrusion (“hacking”) into federal government computers whether they are used exclusively by the government or the federal government shares access with others. Broken down into its elements, paragraph (a)(3) makes it unlawful for anyone who:
Without Authorization Intentionally Either Accesses a government computer maintained exclusively for the use of the federal government, or accesses a government computer used, at least in part, by or for the federal government and the access affects use by or for the federal government
Consequences: Imprisonment for not more than one year (not more than 10 years for repeat offenders) and/or a fine under title 18 (the higher of $100,000 for misdemeanors/$250,000 for felonies or twice the amount of the loss or gain associated with the offense, 18 U.S.C. 3571). These, like most federal offenses committed by juveniles, are usually tried in state court. Violations of each of the paragraphs of subsection 1030(a) may trigger forfeiture, restitution, money laundering, civil liability and racketeering provisions found elsewhere.
Other criminal liability: attempt, conspiracy, complicity & more: An attempt to violate any of the paragraphs of subsection 1030(a), and conspiracy to violate any federal law are separate federal crimes, 18 U.S.C. 1030(b), 371.
Simply hacking into government computers—without damage to the system, injury to the government, or gain by the hacker—implicates only a few other laws. It may breach the “hacking-and-acquiring-information” ban of paragraph 1030(a)(2), discussed infra. It may also violate one of the state computer crime statutes.
18 U.S.C. § 1030(a)(3) [NIIP Analysis]
The CFAA deals with bad people who bother about “protected computers.” This is not a reference to the use of firewalls or virus protection (although these are good ideas). Originally “protected computers” were computers from financial institutions and the government. Gradually this definition has been expanded to include all networked computers, inside the U.S. or outside. 18 U.S.C. § 1030(e)(2)(B). [Shurgard WDWA 2000]
Computers on the Internet are 'protected computers.' [Trotter 8th Cir 2007 (Non-profit's computers are engaged in interstate communications connect to Internet)] [Walters 11th Cir. 2006) (stating that the internet is an instrumentality of interstate commerce)] [Fowler 945 MDFL 2010 (computer connected to Internet is 'protected computer')] [Multiven NDCA 2010 (finding that a computer connected to the internet was a protected computer)] [National City Bank, N.A. EDWA 2010 (stating that "any computer connected to the internet is a protected computer")] [Expert Janitorial EDTN Mar. 12, 2010] [Dedalus Foundation SDNY 2009 (noting that courts have "found that computers that access the Internet through programs such as email qualify as protected computers")] [Continental Group, SDFL 2009 (noting that a connection to the internet affects interstate commerce or communication)]
Knowingly transmits a worm or virus and intentionally causes damage [Smith] [Mitnick] [Morris] Intentionally hacks a computer and recklessly causes damage, or Intentionally hacks a computer and causes damage And the damage results in The loss of at least $5000 in a year for a person A change to a medical examination, diagnosis, treatment or care Physical injury to a person A threat to public health or safety, or Harm to a computer owned or used by the government in furtherance of justice, defense, or security.
Section 1030(a)(5) Matrix
|Source: The National Information Infrastructure Protection Act of 1996, Legislative Analysis by CCIPS USDOD (updated June 1998)|
18 U.S.C. § 1030(a)(5).
There has been clarification on what constitutes a bad deed:
Inserting a disabling code into software without a provision in the license. [North Texas Sec. IV.A] Data-mining where consent is lacking. [Register] [EFCultural] Email harvesting in violation of terms of service. [Can Spam Act] [LCGM] Accessing and sending proprietary information from current employer to new employer. [Shurgard] Deleting files and using a trace removal tool to scrub the memory of any vestiges of the files. [Citrin]
Not Bad Deeds:
Inserting disabling code into software with a provision in the license. [North Texas] Placing cookies on a computer. [Doubleclick] [Intuit] [Chance] Port scans. [Moulton] Designing shoddy software. [18 U.S.C. § 1030(g), a probably response to Shaw]
Note that this provision has a mens rea; the hack must be intentional. Some courts have interpreted "intentional" to mean "intentional access" as opposed to "intentional damage." [Morris p 509] [Sablan p 868]
Where the bad deed falls under 18 U.S.C. § 1030(a)(5)(B), there is a private right of action. 18 U.S.C. § 1030(g). [Theofel at 1078] [IMS at 526] [Yonkers] [See Fiber Sys Intl (finding private right of action for violation of any CFAA provision)] Remedy includes compensatory damages, injunctive relief, or equitable relief. Actions must be brought within 2 years of the date of the act or the discovery of the damage. Injured parties may also consider seeking relief under the Electronic Communications Privacy Act which prohibits the unauthorized interception and access of communications.
Derived From: Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Laws, Congressional Research Service (Dec. 27, 2010)
Paragraph 1030(a)(5) proscribes unleashing worms or viruses or otherwise causing computer damage, that is, (A) intentionally causing unauthorized damage by knowingly causing a transmission to a protected computer; (B) recklessly causing damage by intentionally accessing a protected computer; or (C) causing damage and loss by intentionally accessing a protected computer. These kinds of damage are only federal crimes under paragraph 1030(a)(5) if they involve a protected computer. There are five types of protected computers or computer systems. The five include computers (1) used exclusively for or by the United States Government; (2) used exclusively for or by a bank or other financial institution; (3) used in part for or by the United States Government where the damage “affects” government use or use on the government’s behalf; (4) used in part for or by a bank or other financial institution where the damage “affects” use by or on behalf of the institution; and (5) used in, or affecting, interstate or foreign commerce or communications.
Penalties: Recidivism and causing serious damage recklessly or intentionally are punished more severely than first offenses or causing damage without necessarily intending to do so or than causing less serious damage intentionally or recklessly. First-time offenders that do not cause serious damage are punishable by imprisonment of not more than one year. When an offender with a prior conviction causes damage that is not serious, he is punishable by imprisonment for more than 10 years. Offenders with a prior conviction who intentionally or recklessly cause damage that is not serious are punishable by imprisonment for not more than 20 years.
On the other hand, intentionally causing serious damage through a knowing transmission to a protected computer is punishable by imprisonment for not more than 10 years (not more than 20 years for a second or subsequent offense). Recklessly causing serious damage following unauthorized access or attempted access carries a penalty of imprisonment for not more than five years (not more than 20 years for a second or subsequent offense). An offender who knowingly or recklessly causes or attempts to cause serious bodily injury or death by knowingly causing an intentionally damaging transmission to a protected computer is punishable by imprisonment for not more than 20 years (any term of years or life if death results).
Other than physical injury or death, the types of serious damage that trigger more severe punishment are damage that (1) causes a loss that over the course a year exceeds $5,000; (2) modifies, impairs, or could modify or impair medical services; (3) causes physical injury; (4) threatens public health or safety; (5) affects a justice, national defense, or national security entity computer; or (6) affects 10 or more protected computers over the course of a year.
Other Crimes: The general observations concerning attempt, conspiracy and complicity noted for the simple trespass paragraph apply here. In addition, there are more than a few other federal statutes that might be implicated by damage or destruction of federal property, of the property of financial institutions, or of property used in interstate or foreign commerce. A partial inventory might include: 18 U.S.C. 844(f)(destruction of federal property by arson or explosion); 18 U.S.C. 1853 (destruction of timber of U.S. lands); 18 U.S.C. 2071 (destruction of government records); 18 U.S.C. 1361 (destruction of federal property); 18 U.S.C. 1362 (destruction of federal communications property); 18 U.S.C. 32 (destruction of aircraft or aircraft facilities); 18 U.S.C. 33 (destruction of motor vehicles or their facilities); 18 U.S.C. 2280 (destruction of maritime navigational facilities); 18 U.S.C. 1992 (causing a train wreck); 18 U.S.C. 1367 (damaging an energy facility).
Knowingly and with intent to defraud traffics in computer passwords or “similar information through which a computer may be accessed.”
18 U.S.C. § 1030(a)(6).
Derived From: Charles Doyle, Cybercrime: A Sketch of 18USC 1030 and Related Federal Criminal Laws, Congressional Research Service (Dec. 27, 2010)
Paragraph 1030(a)(6) outlaws misconduct similar to the access device proscriptions of section 1029. Although limited, it provides several distinct advantages. First, it covers passwords to government computers more clearly than does section 1029. Second, as something of a lesser included offense to section 1029, it affords the government plea bargain room in a case that it might otherwise be forced to bring under section 1029 or abandon. Third, it contributes a means of cutting off the practice of publicly posting access to confidential computer systems without imposing severe penalties unless the misconduct persists. Fourth, it supplies a basis for private enforcement through the civil liability provisions of subsection 1030(g) of misconduct that may be more appropriately addressed by the courts as a private wrong. The elements of the crime are:
knowingly and with an intent to defraud trafficking in (i.e., “to transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of” (18 U.S.C. 1029(e)(5))) a computer password or similar computer key either of a federal computer or in a manner that affects interstate or foreign commerce.
Penalties: not more than one year (not more than 10 years for repeat offenders) and/or a fine under title 18, 18 U.S.C. 1030(c)(2). Offenders are also civilly liable to their victims, 18 U.S.C 1030(g).
Other crimes: The generally applicable provisions dealing with attempt, conspiracy and complicity will apply with equal force in cases involving paragraph 1030(a)(6). Paragraph 1030(a)(6) appears to have few counterparts in federal law, other than the prohibition against trafficking in access devices (credit card fraud) under 18 U.S.C. 1029(a)(2) and the wire fraud provisions of 18 U.S.C. 1343. Nevertheless, either of these may provide the foundation for a RICO (18 U.S.C. 1962) or money laundering (18 U.S.C. 1956, 1957) prosecution, so that should conduct in violation of paragraph 1030(a)(6) also offend either the mail fraud or credit card fraud prohibitions, a criminal breach of RICO or the money laundering provisions may also have occurred.
With intent to blackmail, transmits a threatens to damage a computer.
18 U.S.C. § 1030(a)(7).
This paragraph provides that no one shall
transmit in interstate or foreign commerce any communication containing any threat to cause damage, [i.e., “any impairment to the integrity or availability of data, a program, a system, or information, that causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals causes physical injury to any person; or threatens public health or safety” (1030(e)(8))] to a protected computer with the intent to extort money or a thing of value from any person, firm, association, educational institution, financial institution, government entity, or other legal entity.
Penalties: not more than five years (not more than 10 years for second and subsequent offenses) and/or a fine under title 18, 18 U.S.C. 1030(c), and victims may claim the advantages of the civil cause of action available under 18 U.S.C. 1030(g).
Other crimes: The general observations concerning attempt, conspiracy and complicity noted with respect to the other paragraphs of 1030(a) apply here. Violations of paragraph 1030(a)(7) may also offend 18 U.S.C. 1951 (extortion that affects commerce); 18 U.S.C. 875 (threats transmitted in interstate commerce); 18 U.S.C. 876 (mailing threatening communications); 18 U.S.C. 877 (mailing threatening communications form a foreign country); and 18 U.S.C. 880 (receipt of the proceeds of extortion).
In order for a cause of action to be maintained, there must be a minimum $5000 damage. This has been a notorious problem where, for example, Clifford Stoll’s $0.75 accounting discrepancy was insufficient to garner federal attention, even if the hacker’s breadcrumbs indicated international espionage of highly sensitive military information.
Plaintiff must allege that the violation caused at least $5000 in economic damages. [Global Policy Partners at 647 EDVA 2010] [Sharma DMD 2013]
The damage must be caused by the alleged CFAA violation. [Hillsboro EDMO 2010] [Global Policy Partners at 647 EDVA 2010]
So what is “damage” and “loss”? “The term ‘damage’ means any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). A “loss” is
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to condition prior to the offense, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service.
18 U.S.C. § 1030(e)(11). Damages can include
Cost incurred in response to and investigation of the incursion. Vanderhye 645-46 (cost expended by Turnitin for investigation of incursion when a student who turned in a paper using another students username and password) Sharma DMD 2013 Sealord Holdings, Inc. v. Radler, No. 11-6125, 2012 WL 707075, at *4 (E.D. Pa. Mar. 6, 2012) (quoting Fontana v. Corry, No. 10-1685, 2011 WL 4473285, at *7 (W.D. Pa. Aug.30, 2011)) ("Numerous district court decisions in the Third Circuit have held that to fall within this definition of `loss,' the `alleged "loss" must be related to the impairment or damage to a computer or computer system.'") Clinton Plumbing & Heating of Trenton, Inc. v. Ciaccio, No. 09-2751, 2011 WL 6088611, at *5 (E.D. Pa. Dec. 7, 2011) ("A compensable `loss' under the CFAA . . . is the cost of remedial measures taken to investigate or repair the damage to the computer, or the loss is the amount of lost revenue resulting from a plaintiff's inability to utilize the computer while it was inoperable because of a defendant's misfeasance.") Cost of salaries of employees to repair system Larsen 553 9th Cir 2006 (stating that losses "include the time that the victim's salaried employees spend responding to the unauthorized intrusion") Millot 1061 8th Cir 2006 (recognizing that hours spent by employees responding to an intrusion constitute losses under the statute, because their time could have been spent on other duties) Middleton 1214 9th Cir 2000 (finding that a salaried employee's time spent responding to an intrusion is a loss under the statute, because "[t]here is no basis to believe that Congress intended the element of `damage' to depend on a victim's choice whether to use hourly employees, outside contractors, or salaried employees to repair the . . . harm to a protected computer") Fowler MDFL 2010 NCMIC Finance Corp 1065 SDIowa 2009 (finding that the company's chief information officer's time spent investigating the matter was appropriately considered a loss under the statute) Theft of trade secrets [Shurgard] Lost profits. 18 U.S.C. 1030(e)(11) Nexans Wires S.A. v. Sark-USA, Inc., 166F. App'x 559, 562(2d Cir. 2006) ("[T]he plain language of the statute treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an `interruption in service.'"))
Damage does not include
Attorney's fees. Mintel Int'l Group, LTD. v. Neergheen, No. 08-3939, 2010 WL 145786, at *10 (N.D. Ill. Jan. 12, 2010) (holding that fees paid to a computer expert to assist the plaintiff in litigation against alleged violator, but not for the purpose of assessing computer damage, were not "losses" under the CFAA) Del Monte Fresh Produce, N.A., Inc. v. Chiquita Brands Int'l Inc., 616 F. Supp. 2d 805, 812 (N.D. Ill. 2009) Healthcare Advocates, Inc. v. Harding, Earley, Follmer & Frailey, 497 F. Supp. 2d 627, 647 (E.D. Pa. 2007) Wilson v. Moreau, 440 F. Supp. 2d 81, 110 (D.R.I. 2006).
According to DOJ, "any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs, or the value of the property ‘in the thieves' market,’ can be used to meet the” required showing of a minimum $5,000 minimum damage. [NIIP] [Steroga]
What does it mean to have "unauthorized access" to a computer or network. 18 U.S.C. §§ 1030(a)(2), 1030(a)(5)(A). When can authorized access become unauthorized access? If one who has authorized access then misappropriates information on the computer, has that access become "unauthorized"? If one has access to a public website, but then violates that site's terms of service, has the access become a criminal unauthorized access? Can the police prosecute as a federal crime a violation of a site's Terms of Service? Some courts confronting this conundrum have opined that using the CFAA to redress such actions "transform[s] the CFAA from an anti-hacking statute into an expansive misappropriation statute." But not all courts are in agreement.
The Southern District of New York stated:
Where a statutory term is undefined, it must be given its ordinary meaning. Santos, 553 U.S. 507, 128 S. Ct. at 2024 ; Broxmeyer, 2010 WL 3001351, at *3; see also United States v. Morris, 928 F.2d 504, 511 (2d Cir. 1991) (holding that the word "authorization" for purposes of the CFAA is "of common usage, without any technical or ambiguous meaning," and therefore the district court "was not obliged to instruct the jury on its meaning"). "Authorization" is generally defined as the "act of authorizing" or "permission or power granted by an authority." See, e.g., The Random House Dictionary of the English Language 100 (Unabridged ed. 1970). The term "authorize," in turn, ordinarily means to grant authority or permission to do something. See, e.g., The American Heritage Dictionary 121 (4th ed. 2000) ("To grant authority or power to; [t]o give permission for; sanction."); 1 Oxford English Dictionary 799 (2d ed. 1989) ("To give legal or formal warrant to (a person) to do something; to empower, permit authoritatively."); The Random House Dictionary of the English Language 100 (1970) ("[T]o give authority or official power to; empower; to give authority for; formally sanction (an act or proceeding)."); Webster's Third New International Dictionary 146 (1993) ("[T]o endorse, empower, justify, or permit by or as if by some recognized or proper authority."). Based on the ordinary meaning of "authorization," then, a person who "accesses a computer without authorization" does so without any permission at all. By contrast, a person who "exceeds authorized access" has permission to access the computer, but not the particular information on the computer that is at issue.
[Aleynikov Sec. D SDNY 2010]
"Courts have generally and sensibly concluded that the scope of an individual's authorization to access a computer network is analyzed 'on the basis of the expected norms of intended use.'" [Phillips 219 5th Cir 2007] [Creative Computing 9th Cir 2004] [EF Cultural Travel 582 1st Cir 2001] [Morris 505 2nd 1991]
Question: If an individual accesses a computer service in violation of a Terms of Service or Acceptable Use Policy or Employment Policy - does that constitute an unauthorized access for CFAA purposes?
United States v. Teague, 646 F.3d 1119 (8th Cir. 2011). "There, the defendant used her privileged access to the National Student Loan Data System to obtain the student-loan records of President Obama. See id. at 1121. Following a jury trial, the defendant was convicted of one count of exceeding authorized access to a computer in violation of the CFAA. On appeal, the Eighth Circuit rejected the defendant's argument that there was insufficient evidence that she was the person who accessed President Obama's student-loan records. See id. at 1122-23. Because the defendant did not raise the issue, the Eighth Circuit did not decide whether accessing information for an improper purpose could violate the CFAA." Violation of Terms of Service is not sufficient to establish that unauthorized access. [US v Lori Drew CDCA 2009] use of another's password to access website without website owner's permission was unauthorized access in violation of CFAA [Vanderhye 645 4th Cir 2009] [State Analysis 316 EDVA 2009]
Misuse / Misappropriation of information
- Having authorized access to information, but then misusing or misappropriating that information, is not a violation of the CFAA
- Synthes, Inc. v. Emerge Med., Inc., 2012 U.S. Dist. LEXIS 134886, 52 (E.D. Pa. Sept. 19, 2012). Generally, the Computer Fraud and Abuse Act § 1030(a)(4), prohibits the unauthorized access to information rather than unauthorized use of such information.
- Aleynikov Sec. D SDNY 2010
- Orbit One Commc'ns, Inc. v. Numerex Corp., 692 F. Supp. 2d 373, 385 (S.D.N.Y. 2010) ("The CFAA expressly prohibits improper `access' of computer information. It does not prohibit misuse or misappropriation.")
- Walsh Bishop Assocs., Inc. v. O'Brien, 11-cv-2673 (DSD/AJB), 2012 WL 669069, at *4 (D. Minn. Feb. 28, 2012)
- Shamrock Foods 965-66 DAr 2008 ("[L]egislative history confirms that the CFAA was intended to prohibit electronic trespassing, not the subsequent use or misuse of information.")
- Condux Intern., Inc. v. Haugum, 08-cv-4824 (ADM/JSM), 2008 WL 5244818, at *6 (D. Minn. Dec. 15, 2008) ("[T]he conduct at the heart of the dispute is not the access of the confidential business information but rather the alleged subsequent misuse or misappropriation of that information. Such allegations, however, are not sufficient to state a claim for violations of [18 U.S.C. § 1030(a)(4)].")
- But Compare
- US Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189, 1195 (D. Kan. 2009) (Lungstrum, J.) (party may violate CFAA by exceeding initially-authorized access to a computer system)
Narrow Interpretation :: No CVAA Violation: "an employee with authority to access his employer's computer system does not violate the CFAA by using his access privileges to misappropriate information."
Broad Interpretation :: CVAA Violation: "an employee accesses a computer "without authorization" or "exceeds authorized access" within the meaning of § 1030 whenever the employee, without knowledge of the employer, possesses an adverse interest or breaches the duty of loyalty to the employer, thereby terminating her agency relationship." [US v John 271 5th Cir 2010 ("`authorization' may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system . . . at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime")]
See Orin Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1634 (2003) (explaining that the agency theory of authorization extends liability to "an employee's use of an employer's computer for anything other than work-related activities.").
This can become a complicated issue when a network like a Wi-Fi network is openly available to the public with no notice of restriction, or when an employee has authorization to access a network but then does something disgruntled. There are lots of circumstances where this is less than clear. One example of this that has arisen is open Wifi networks. If a coffee house leaves a network open and unsecured, and a bloke standing outside with a Skype phone automatically detects and connects to that Wifi network, is it unauthorized access? Some states have concluded that it is. [Register (defendant on notice lacked permission to datamine website)] [Galbraith (critiquing use of CFAA in Register case)] [Four Seasons Hotels (spoofed computer made to look authorized on network)] [LCGM (violation of TOS can create unauthorized access)]
Where an individual come upon an open network, if the individual uses that network, does the individual run afoul of state law. This issue is commonly seen in the context of the question of access to a computer network utilizing an open, unsecured wireless access point (WAP), where an individual with a WiFi enabled device seeks to access the computer network. See WiFi Theft for a discussion. But it could be as simple as a stand alone remote terminal in a library or other public space, or an open, unsecured Ethernet jack in a public government building.
Several states have conclude that for access to be unauthorized, the network or system must be using security of some type. See Louisiana, New York, Nebraska, Massachusetts, and Minnesota.
The state laws seem to fall out into two categories:
Those states that require the outsider to know that access to a network is unauthorized for the access to be unauthorized. This creates the defense on the part of the outsider that the outsider simply did not know. This places the burden on the network owner to provide notice to the outsider.
Those states that require the outsider to know that access is authorized for the access to be authorized. This places the burden on the outsider to acquire knowledge that access is permissive before utilizing a network. A few states require notice to potential network users. Minnesota
The States Chart has a column labeled Open Network? This column seeks to break state laws into groups according to whom has the burden. This is clearly just are opinion in the context of an academic evaluation and discussion (in other words, if you need legal advice, consult an attorney)
Recall that the issue is whether an individual accessing an open network runs afoul of state law; no nefarious intent is assumed - we can assume that this is just Joe Dude seeking to do a quick email check. Therefore some states' laws which have an element of bad intent or bad action would not appear to apply at all.
Many scholars have likened this analysis to a Trespass to Chattels argument. [Hale] [Kern] [Bierlein] Several courts have applied Trespass to Chattels jurisprudence to "unauthorized access" to computers issues. [Register.com at 404] Trespass to Chattels has been used in spam cases. [Compuserv] [AOL v IMS] [AOL v LCGM] [AOL v Natl Health Care Disc] Other course have been unpersuaded that Trespass to Chattels applies to computer access cases. [Intel]
Contrasting Trespass to Chattels and Trespass to Real Property (land) , the problem is that Trespass to Chattels addresses the deprivation of use from the owner of some thing - while Trespass to Real Property addresses whether access to the real property is authorized or not (ie., trespass).
According to the Restatement (Second) of Torts, “A trespass to a chattel may be committed by intentionally (a) dispossessing another of the chattel, or (b) using or intermeddling with a chattel in the possession of another.” RESTATEMENT (SECOND) OF TORTS § 217.
While Trespass to Chattels typically is the appropriate analysis for stuff that is not real property, the question before us is whether access is authorized (trespass), not whether someone has deprived someone else the use of some thing.
Some authorities note that the use of security to restrict access to a network is provides notice to individuals that access is restricted and potentially unauthorized. [EF Cultural Travel p 63 (“After all, password protection itself normally limits authorization by implication (and technology), even without express terms.”)]
Sotelo v. DirectRevenue, L.L.C., 384 F. Supp. 2d 1219 (N.D. Ill. 2005) (applying Trespass to Chattels) Southwest Airlines v. Farechase, Co., 318 F. Supp. 2d 435 (N.D. Tex. 2004) (applying Trespass to Chattels) Intel v. Hamidi, 30 Cal. 4th 1342 (2003) ("In Hamidi the California Supreme Court held that a former Intel Corporation employee's e-mails to current Intel employees, despite requests by Intel to stop sending messages, did not constitute trespass of Intel's e-mail system.") eBay, Inc. v. Bidder’s Edge, 100 F. Supp. 2d 1058 (N.D. Cal. 2000) (applying Trespass to Chattels) Thrifty-Tel, Inc. v. Bezenek, 54 Cal. Rptr. 2d 468 (Cal. Ct. App. 1996) ("unauthorized access to telephone system constituted trespass to chattels") Thrifty-Tel, 54 Cal. Rptr. 2d at 473 n.6 (Trespass to Chattels: “In our view, the electronic signals generated by the Bezenek boys’ activities were sufficiently tangible to support a trespass cause of action.” White Buffalo Ventures L.L.C. v. Univ. of Texas, 420 F.3d 366, 377 n.24 (5th Cir. 2005) (Trespass to Chattels) Register.com v. Verio WEC Carolina Energy Solutions LLC v. Miller (4th Cir.)
LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009) "The Ninth Circuit holds: "[A] person uses a computer 'without authorization' under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway."" US v Powers (D Nebraska Mar. 4, 2010) upholding claim where allegedly defendant accessed email account of victim, with password she had provided to him, and sent out emails with nude pictures of her to addresses in her address book - court implicitly finding that intent of defendant in accessing computer is relevant to whether access is unauthorized. Computer Fraud Blog Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 768-70 (N.D. Ohio 2008) ("recognizing split of authority as to meaning of "without authorization"") SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d 593 (E.D. Va. 2005) ("dismissing CFAA claims against non-party to licensing agreement where licensee of software permitted non-party to access licensee's server and copy licensor's proprietary information because licensee "authorized" non-party's access to its own computers")