One of the issues we hear a lot about in the news recently is “cybercrime.” So, what does that term mean? In general, a cybercrime is any criminal act carried out by gaining unauthorized access to a computer system. Federal law defines “unauthorized access” in 18 USC § 1030(a)(2) as where one “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
- information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
- information from any department or agency of the United States; or
- information from any protected computer;”
The prohibition thus covers trespassers who have no right at all to use a given computer, as well as those who can use a given computer but manage to access parts of the system that are off limits. Federal courts recognize two categories of unauthorized conduct: (1) those inherent in common law principal/agency relationships and (2) those explicitly established and published by the owner of the computer data.
The lack of authorization based on the common law of agency deals with a scenario where an employee sends valuable company information through the Internet immediately before the employee terminates his or her employment with the company to assume a new position with a competitor. For example, if otherwise authorized employees send confidential information via e-mail from a company computer to a direct competitor that is also their new employer, the access to the information and the corporate email system is unauthorized.[1] Relying on the common law rules of agency, the employees’ authority ended when they acquired “adverse interests” or committed “a serious breach of loyalty” to their employer.[2] Thus, such employees “lost their authorization and were ‘without authorization’ when they allegedly obtained and sent the proprietary information to [the direct competitor / new employer] via e-mail” because they acquired “adverse interests” when they accepted employment with the direct competitor.[3]
Where an otherwise authorized person removed from a company computer assigned to them documents, e-mail files, and/or software the federal courts have found the access to be “unauthorized” when rules established and promulgated by the owner of the computer data have been violated.[4]
The federal courts have held that access to information published on a publicly accessible website can be unauthorized. have also opined on what is authorized activity with respect to taking data from public websites. Violation of an express rule published on a website [such as prohibiting the use of an automatic robot to download data from the website] was enough to show that the defendant lacked authorization and was therefore illegal under the CFAA.[5]
Even though Register.com, as an accredited domain-name registrar, must permit online access to names and contact information for its customers “to provide necessary information in the event of domain-name disputes;” the database is set up to “allow the user to collect contact information for one domain name at a time by entering the domain name into a provided search engine.” [6] The district court found that the automated search robot was not “authorized” by the website’s terms of use, holding that even if the defendant’s “means of access” to the database would otherwise be authorized, “that access would be rendered unauthorized ab initio by virtue of the fact that prior to entry . . . [the defendant] knows that the data obtained will be used later for an unauthorized purpose.”[7]
Where a confidentiality agreement between an employer and a former employee exists, downloading information from a publicly accessible website may be unauthorized. [8] Using an automatic robot to gather public pricing data by a former employee bound by such an agreement to help a new employer “gain a substantial advantage” over other market players and especially the former employer is a violation of the CFAA.[9]
New York defines “without authorization” as using or accessing a computer or computer service or network without the permission of the owner or lessor of the computer, network or service (or their authorized agent) where the user knew that they were accessing or using the same without permission or after actual notice that such use or access was without permission. [10]
If someone uses or accesses a computer, or computer service or network by knowing using any sort of instructions, code or computer program that bypasses, defrauds or otherwise circumvents a security measure installed or used on the target computer, or computer service or network, the court may infer from those facts that such person used or accessed such computer, computer service or computer network without authorization.[11]
Other
sorts of crime like identity theft, or credit card fraud may be carried out using
computer technology – such as the internet – but those are different crimes. They
are not, strictly speaking, cybercrimes.
[1] Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Washington, 2000); see also Deloitte & Touche, LLP v. Pesin, Civ. Action No. 03-675 (RBW) (D.DC July 7, 2003).
[2] Id.
[3] Id.
[4] US Greenfiber v. Brooks, No. Civ. A. 02-2215, (W.D. La. 2002).
[5] Register.Com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000).
[6] Id.
[7] Id.
[8] EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).
[9] Id.
[10] NY Penal Law § 156.
[11] https://www.nycourts.gov/judges/cji/2-PenalLaw/156/156.05.pdf
Guerrilla Lawfare 