When you “access” a website, what are you authorized to do? And how would you know what is “authorized?” The federal Computer Fraud and Abuse Act, 18 USC 1030 makes it a crime to “access” a “computer” “without authorization,” and further makes it a crime to “exceed authorization” to access a computer. Courts and computer users have been struggling to determine exactly what it means to be “authorized” to use a computer. Does violation of a contract — whether it’s a “terms of service” or “terms of use” or an employment contract — constitute exceeding authorization and therefore “hacking?” Do you have to be expressly kicked out of a website or computer to “trespass,” or do you only exceed authorization to access a computer when you do something technical to break in?
On March 26, 2020 a federal Court in Washington State waded into this murky terrain in a dispute between a domain name registrar and a registrant who used high speed computers to access the registrar multiple times to get in front of the queue in violation of the registrar’s terms of service. It’s not that different than when a concert offers tickets on a “first come first serve” basis, and unscrupulous ticket brokers — in violation of the rules — use automated programs to snarf up all the good seats so they can resell them at higher prices. Does the registrant or the ticket broker, who violates the rules, “exceed authorized access” to the website, and thereby commit a crime?
The Washington case, Domain Name Commission v. DomainTools, Dkt. No. C18-0874RSL (D. Wash., March 26, 2020) following precedent in the federal Ninth Circuit said that the actions of the domain registrant, while in violation of the rules of the registrar, did not violate the Computer Fraud and Abuse Act. The lead case in that regard involved a company that scraped data from LinkedIn “public” webpages and sold data analytics on LinkedIn’s members. In that case, currently under consideration by the U.S. Supreme Court, the high court is being asked to decide “Whether a company that deploys anonymous computer “bots” to circumvent technical barriers and harvest millions of individuals’ personal data from computer servers that host public-facing websites — even after the computer servers’ owner has expressly denied permission to access the data — “intentionally accesses a computer without authorization” in violation of the Computer Fraud and Abuse Act.” In other words, when you do something on a website or using a computer that the owner of the computer either doesn’t want you to do, or doesn’t specifically “authorize” you to do, are you trespassing?
When is a Trespass a Trespass?
In the Washington case, the Court held that a person accesses a computer “without authorization” only “when he or she has no permission to access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or enlisting of a third party to aid in access will not excuse liability.” Take for example the case of Aaron Swartz who repeatedly accessed the database JStor from an MIT network, even though MIT kept kicking him off. He was prosecuted for both accessing the MIT computer (and the JStor database) without authorization and in excess of his authorization.
The problem is that most computer “hacking” — even that which is done without any authorization of the computer system owner — is done by exploiting a feature or vulnerability in an existing program or system that “permits” the access. Take for example a person who sends an e-mail with a phishing program attached. The e-mail contains a spoofed address, and the recipient opens the e-mail which then deploys the unknown payload. Is this “access” “without authorization?” Is it in excess of authorization? Certainly, the threat actor is “authorized” to “send mail.” If the sending of the mail is authorized, does the fact that the payload does something harmful make the access “unauthorized?” Does it make it in excess of authorization? Does it matter if the harmful effect is intended or inadvertent? In other words, what do we mean when we say something is “unauthorized?”
Exceeds Authorization
In addition to accessing initially without authorization, a person can “exceed” authorized access. As the Court in Washington noted, whether someone exceeds their authorization could be read in one of two ways. “The first would encompass situations in which a person’s authorization to access a computer is limited to certain files, programs, or databases, but he or she “hacks” into other areas of the computer without permission. In the alternative, the language could refer to a person who has unrestricted access to a computer, but who accesses the files, programs, or databases in a way or for a purpose that is proscribed by the owner.” One relates to virtual “place” – e.g., you can’t be here, the other relates to purpose — you CAN be here, but you can’t do this thing. Are both “exceeding authorization?”
In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the same court had ruled that an employee of a PR firm who accessed the firms computers to obtain customer lists to use to compete with the firm did not violate the computer fraud statute because his access to the computer was “authorized” although his use of the data he collected was not. In fact, the U.S. Supreme Court on April 20, 2020 agreed to hear a case about whether a police officer who used his real credentials to access the federal NCIC database to run a license plate not for law enforcement purposes, but for their own purposes “exceeded the scope of authorization” to access a computer. Van Buren v. United States, Dkt. No.19-783, cert. granted, April 20, 2020, decision below, United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019).
There’s no doubt that the domain name registrant was “authorized” to access the website of the domain name registrant. There’s also no doubt that the registrar did not want the registrant to do what they did, and took measures to prevent that — measures which were circumvented. And when the registrant continued, the registrar essentially told them that their use of the website was subject to the Terms of Service which prohibited their actions.
TOS’d
So, if someone does something that violates a website’s Terms of Service, are they acting in excess of authorization? In one California federal case, Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016), Facebook attempted to prevent a scraping service from downloading data and explicitly revoked their access to Facebook. The Washington court distinguished this case noting that the domain registrar did not kick the registrant completely off the service but simply reminded them that their access was subject to the ToS. There was no “explicit revo[cation of the] authorization for any access.” So maybe the lawyers who sent the cease and desist letter should have completely revoked the registrant’s access to the computer. The other main precedent was Ticketmaster LLC v. Prestige Entm’t W., Inc., 315 F. Supp.3d 1147, 1171 (C.D. Cal. 2018) where the concert ticket seller’s ToS explicitly prohibited the use of robots, programs, and other automated devices (“bots”) to make purchases, and Ticketmaster sent those violating the Terms of Service individualized cease-and-desist letter informing them that their access was restricted to that which conforms to Ticketmaster’s terms of use – revoking authorization upon breach of policy. The Washington court declined to follow the Ticketmaster precedent.
No Shirt, No Shoes, No Service
In a real-world analogy, imagine a restaurant (remember those) that had a policy that you had to wear shirts and shoes. The policy is written on the front door, but says “you are authorized to come in here ONLY if you are wearing a shirt and shoes.” A man walks in sans shoes and sans shirt. Is he trespassing? If the owner reminds the person of the policy saying, “sir, you must put on a shirt and shoes” is he trespassing now? What about saying, “sir, if you don’t put on a shirt and shoe’s I am going to ask you to leave?” Finally, if the owner says, “sir, because you are not wearing a shirt and shoes, you are not permitted to enter this restaurant, and are forever prohibited from coming in here for any purpose whatsoever. Leave NOW and don’t ever come back!” It appears that, with respect to actions that violate a company’s Terms of Service (like scraping and bots) you have to write a demand letter that is closer to the latter if you want to preserve the right to prosecute a trespass.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.