More Thoughts on the Six CFAA Scenarios About Authorized Access vs. Unauthorized Access

In last night’s post, I offered six scenarios to help identify what should be the proper line between access to a computer that is authorized versus without authorization under the Computer Fraud and Abuse Act. The reader responses are still coming in, and if you haven’t voted yet, please read that post and do so. But for those who have already voted, or aren’t into that sort of thing, here are my own thoughts on how the law should treat the six hypotheticals.

1. Sally has an web-based e-mail account that she uses for personal e-mails. Joe suspects that Sally uses a common password that offers very little security, as the e-mail provider does not impose any restrictions on what passwords subscribers can use. Joe wants to teach Sally about good password practices, so he goes to her login page and (without her permission) tries the password “password.” That is in fact Sally’s password, so Joe is able to log in see Sally’s e-mails. In your view, should accessing Sally’s e-mail be considered permitted authorized access or prohibited unauthorized access?

My view: Prohibited unauthorized access. Guessing at someone’s password and using it to access their private files is one of the paradigmatic forms of unauthorized access. The whole point of setting up accounts and having passwords is to block access rights; guessing someone else’s password and using it to access the other person’s files is like picking the lock that guards their physical stuff. It’s true that Sally had a stupid password, but I think it would be problematic to say that you need to have locks that are “good enough” before the law will start to respect a person’s rights in guarding what that lock protects.

2. Sally sets up a “CAPTCHA” gate designed to ensure that only humans and not computers get access to her website where she is offering tickets for sale to her upcoming concert (only two tickets can be sold per person). Joe wants to buy 1,000 tickets to the concert so he can scalp them for a profit, so Joe writes a script designed to visit the website and guess at the correct letters and numbers. Use of the script allows Joe’s computer to bypass the CAPTCHA gate and purchase 1,000 tickets in a short period of time. In your view, should use of the script to bypass CAPTCHA and purchase the tickets be considered permitted authorized access or prohibited unauthorized access?

My view: This one is tricky, and I think it could reasonably go either way. On balance, though, I tend to think it should be deemed permitted authorized access. The site was set up so that it provided the code to access the computer to anyone who visited. It’s true that the CAPTCHA made it harder for the computer to access the computer without a human intermediary. But every visitor was given the way to access the computer, and the script gained access by entering the code that was given. So while it’s a close call, but on balance I think this one is probably best described as authorized access.

3. Sally runs a news website and gives visitors five free visits a week as determined by a cookie placed on the visitor’s computer. If a person tries to visit more than five times in a week, however, the website blocks access and asks the user to purchase a subscription. Joe visits the website many times a day; when the site blocks access, he simply cleans out his cookies and keeps visiting. In your view, should this be considered permitted authorized access or prohibited unauthorized access?

My view: Permitted authorized access. The website was available to the public, and any one could access it from a new machine at any time. The only means of limiting access was using a cookie placed on the user’s machine. But it’s up to users to set what cookies they want on their own machines. Many users often clear out their cookies for many reasons or use different browsers; control is up to them, not the websites they visit. As a result, I think that automatically limiting access based on a cookie left on that one browser of that one machine is best understood not as an effort to block access to that user but as an effort to introduce a mild annoyance that might prompt users to buy a subscription to avoid the hassle of cleaning out cookies or using a different browser or machine. Clearing out cookies to visit like everyone is allowed to do is still permitted authorized access.

4. Sally has a website with pictures of her most recent party. Access to the website is protected by a password. Sally e-mails her friend who attended the party and invites them to visit the page and look at pictures using the password “sallysparty.” Joe did not attend the party but he is able to guess the password; he uses the password and sees the pictures. In your view, should using the password to see the pictures be considered permitted authorized access or prohibited unauthorized access?

My view: Prohibited unauthorized access. This is just like scenario #1. It’s true that more people have the password, but I don’t see how that makes a difference to whether guessing the password makes access unauthorized. Shared passwords can raise issues of intent: the prohibition on access without authorization requires intent, and it’s often true that if passwords are widely shared, a person might not realize that using it goes beyond the limits set by the account holder. But that doesn’t seem to be an issue here because Joe only guesses at the password.

5. Sally is a college admissions counselor who decides to let applicants know if they have been admitted by sending them a link to a unique URL, such as www.college.edu/?shva=1#decision/13c9e80c03a4a673 A person who visits the URL will see a letter either admitting them or rejecting them. Joe wants to know who has been admitted to the college, so he he writes a script that queries the website at each of the possible URLs and collects the letters indicating the admissions decisions of all 5,000 applicants. In your view, should accessing the college site to collect all the decisions be considered permitted authorized access or prohibited unauthorized access?

My view: Permitted authorized access. The school has posted the admissions decisions on the web. That is, they have set up their server so that anyone who enters in that address will be shown the relevant page. It’s true that they did so using URLs that were hard to guess, and they only advertised those URLs to specific individuals. But you can’t post stuff on the web for anyone to see and then just hope that only the right people happen to look at the right pages. Anyone can visit a public web page; visiting these pages was permitted authorized access.

6. Sally runs a free social networking site in which users must register and obtain an account. The Terms of Use of the website say that each user can have only one account, and that they must not use the social networking site for commercial purposes. Joe signs up for an account and uses the site to sell his products. In response to complaints about this commercial use, Sally bans Joe’s account. Joe responds by signing up for a new account with a new name, and he then uses the new account to sell his products. Other users complain, so Sally bans Joe’s new account. Joe responds by signing up for a third account under a third name, and he accesses Sally’s social networking site and again uses the site to sell his products. This time, however, Joe acts in ways that keep complaints to a minimum, and Sally is never notified that Joe is back using the site. In your view, should creating the third account and accessing the site using it be considered permitted authorized access or prohibited unauthorized access?

My view: This is one is a little tricky, but I think it should be treated as prohibited unauthorized access. Sally had booted Joe off the site; when Joe came back, Sally booted him off again; and the only reason Joe was able to return was that Sally hadn’t noticed him (yet). I think this should be treated just like trespass in the physical world. If I own a bar or restaurant that is open to the public, then at first anyone is welcome. But if I throw someone out of the bar for some perceived affront, then the usual access rights don’t apply to the guy who I just threw out. He can’t just put on a hat and a fake beard and walk right in again. The clear indication that that person has been banned from the bar makes future accesses unauthorized. The Model Penal Code calls this a “defiant trespasser,” and the Code specifically includes liability when a person “enters or remains in any place as to which notice against trespass is given by . . . actual communication to the actor.” MPC 221.2(2). I tend to think the same principle should apply in the online setting. The action by the sysadmin designed specifically and unambiguously to keep that person off the site makes Joe’s using a new account to get around the ban an access without authorization. With that said, as in #4, there may be questions of intent that could justify a different result in some cases. The law prohibits intentional access without authorization, not just any access without authorization. If Joe comes back and complies with the TOS, he may honestly believe that he is now permitted to access the site. If he has that belief, his conduct would be an access without authorization that is not prohibited because it is not intentional as to the lack of authorization.