Academic journal article Harvard Law Review

The Vagaries of Vagueness: Rethinking the CFAA as a Problem of Private Nondelegation

Academic journal article Harvard Law Review

The Vagaries of Vagueness: Rethinking the CFAA as a Problem of Private Nondelegation

Article excerpt

The Computer Fraud and Abuse Act of 1986 (1) (CFAA) was enacted with the primary purpose of combating computer hacking. (2) The Act prohibits using a protected computer without authorization or exceeding authorized access when the computer is used to accomplish one of several prohibited ends. (3) The CFAA is noteworthy and increasingly controversial for its breadth. The statute's broad definition of "protected computer" encompasses "effectively all computers with Internet access," (4) and the ends prohibited by the statute include intentionally causing damage to the computer, (5) using the illicit access to further a fraud, (6) and obtaining information from any protected computer. (7) Criminal violations of the CFAA may be misdemeanors or felonies, depending primarily upon which impermissible end is alleged. For instance, a violation in furtherance of a fraud is a felony punishable by up to five years in prison; (8) unlawfully obtaining information from a protected computer is a misdemeanor but may be enhanced to a felony punishable by up to five years in prison if, inter alia, the offender committed the act in furtherance of "any criminal or tortious act." (9) The CFAA also provides civil remedies including compensatory damages and injunctive relief for "[a]ny person who suffers damage or loss by reason of a violation" of the statute, with some limits. (10) Cases under the CFAA often arise in the context of employee misappropriation of employer data, (11) but they have come to span subject matter as broad as automated collection of information from websites (12) and creation of a fake profile on a social networking website. (13)

Given the CFAA's vast reach (14) and the serious consequences for its violation, it is not surprising that the CFAA's breadth has been hotly litigated. Likely the most substantial fight, and the one on which this Note will focus, is the debate over when it is that one "access[es] without authorization" or "exceeds authorized access" under the statute. (15) Indeed, a circuit split has developed regarding whether, or under what circumstances, an employee violates the CFAA by misappropriating an employer's trade secrets. (16)

In a recent contribution to the split, the Ninth Circuit applied the rule of lenity to hold that "the phrase 'exceeds authorized access' in the CFAA does not extend to violations of use restrictions," such as workplace computer use agreements or website terms of service agreements. (17) Notably, the court did not hold that Congress is unable to enact such a statute, noting that "[w]e need not decide today whether Congress could base criminal liability on violations of a company or website's computer use restrictions." (18) The court's reasoning, however, implicitly appeals to the problem of vagueness, voicing concerns regarding both notice to citizens of what constitutes criminally liable behavior (19) and the potential for broad criminal liability under the statute to lead to "arbitrary and discriminatory enforcement," (20) the two elements of the void-for-vagueness doctrine. (21) So too does much of the case law and academic literature discussing how to interpret the CFAA. (22)

This Note argues, however, that these concerns raised by courts and commentators sound less in traditional void-for-vagueness analysis than in the private nondelegation doctrine. The CFAA might, as written, be unconstitutionally vague regarding what qualifies as authorized access. If the CFAA were amended clearly to include use-restriction violations as behavior "exceeding authorized access," the statute would arguably both provide notice to citizens of what behavior was criminal and "establish minimal guidelines to govern law enforcement." (23) But the hypothetical amended CFAA (and thus the broad reading of the present CFAA) would remain troubling because it would essentially delegate to private parties the ability to define the scope of statutorily authorized access. Those private parties, in turn, could impose problematic use restrictions. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.