The Computer Fraud and Abuse Act: How Computer Science Can Help with the Problem of Overbreadth

Article excerpt

Table of Contents

I. Introduction
II. The CFAA and Judicial Theories of CFAA Interpretation
  A. Statutory Language of the CFAA
  B. Legislative History of the CFAA
  C. The Agency-Based Theory
  D. The Contract-Based Theory
  E. Criticism of the Agency- and Contract-Based Theories
III. The "Code-Based" Theory of Interpretation
  A. The Code-Based Theory
  B. Limitations of the Code-Based Theory
IV. A Computer Security Model of CFAA Interpretation
  A. Access Control Lists
  B. The Computer Security Model
  C. Justifications for the Computer Security Model
V. Conclusion

I. Introduction

On May 15, 2008, a federal grand jury indicted Lori Drew for violations of the Computer Fraud and Abuse Act ("CFAA") with charges alleging that Drew had created a fake MySpace (1) account for "Josh Evans," a fictitious 16-year-old boy. (2) Drew used the MySpace account to contact thirteen-year-old Megan Meier, with whom her daughter had shared a brief friendship. Meier later committed suicide at "Evans's" behest.

Although Drew's conduct was reprehensible, the decision of the U.S. Attorney's Office to prosecute under the CFAA, which criminalizes "intentionally access[ing] a computer without authorization," (3) drew criticism in both the popular press and scholarly journals. (4) The government's theory of the case based the charge on Drew's violation of MySpace's Terms of Service, rarely-read contractual terms to which MySpace users agree when they create a profile on the site. After a jury convicted Drew of misdemeanor CFAA violations, the trial judge overturned the conviction, granting Drew's motion for acquittal on the grounds that the CFAA, as applied in the case, was void for vagueness. (5) Criminalizing such violations, he wrote, would render the CFAA so broad as to "afford[] too much discretion to the police and too little notice to citizens who wish to use the [Internet]." (6)

The Ninth Circuit also rebuffed a broad interpretation of the CFAA in LVRC Holdings, LLC v. Brekka. (7) There, the plaintiff's theory was that the defendant violated the CFAA when he "accessed the company computer ... to further his own personal interests," which breached his duty of loyalty to his employer and rendered his access "without authorization" under the CFAA. (8) Noting "the care with which we must interpret criminal statutes to ensure that defendants are on notice as to which acts are criminal," the court declined to adopt the plaintiffs theory of the CFAA, finding that the CFAA failed to provide such notice. (9)

Both the prosecution in Drew and the plaintiff in LVRC, however, had precedent on their sides. "Access" and "authorization" are without statutory definitions in the CFAA, and courts have adopted multiple theories, including the contract-based theory of the Drew prosecutors and the agency-based theory of the LVRC plaintiff, in attempting to interpret these ambiguous terms. (10)

Such interpretations have some grounding in the language of the CFAA but also give the criminal statute incredible breadth. Commentators have proposed various solutions to this problem. (11) Professor Orin Kerr's influential "code-based" theory, for example, predicates violations of the CFAA on the circumvention of a computer code barrier. (12) Although commentators have noted many positive policy implications of Kerr's theory, (13) it has received some criticism (14) and has yet to be adopted by the courts. (15)

In attempting to resolve the definitions of "access" and "authorization" in the CFAA, this Note turns to a heretofore ignored discipline: computer science. In creating operating systems, computer scientists devised security models designed to control the accessibility of files in a networked system with multiple users. understanding these models can inform our understandings of "access" and "authorization" in the CFAA, just as understanding digital rights management can inform our understanding of copyright infringement and the design of cable television systems can inform our understanding of cable theft. …