Updates to Chapter 2

Criminal Law

UPDATES TO THE SECOND EDITION

2.1.5.2 “damage” and “loss”

In Van Buren, the Supreme Court noted that “damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” §1030(e)(8). The Court went on to say that “[t]he term ‘loss’ [defined in §1030(e)(11)] likewise relates to costs caused by harm to computer data, programs, systems, or information services.  The statutory definitions of ‘damage’ and ‘loss’ thus focus on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data.” This understanding of “loss” and “damage” proved crucial in X Corp. v. Ctr. for Countering Digit. Hate, Inc., No. 23-cv-03836-CRB, 2024 U.S. Dist. LEXIS 53013 (N.D. Ca. Mar. 25, 2024), where the court held that X Corp.'s losses in connection with its internal investigations to ascertain the nature and scope of defendant’s unauthorized access to X Corp. data were not technological in nature.  The Court therefore dismiss a CFAA claim based on X Corp.'s failure to allege losses based on technological harms.  See also Fraser v. Mint Mobile, LLC, No. C 22-00138 WHA, 2022 U.S. Dist. LEXIS 116929, 2022 WL 2391000, at *2 (July 1, 2022) (loss incurred not to assess the breached system but to assess one’s damages are not cognizable under the CFAA). On the other hand, allegations of costs incurred to “devote personnel, resources, and time to identifying and investigating [the defendant's] attacks and exploits,” to “develop[] and deploy[] security patches and software upgrades,” and to increase “security measures to detect and prevent future attacks” were sufficient to allege loss under the CFAA. Apple Inc. v. NSO Grp. Techs. Ltd.., No. 21-cv-9078-JD, 2024 U.S. Dist. LEXIS 11926, 2024 WL 251448, at *4 (N.D. Cal. Jan. 23, 2024).

2.1.5.3 “without authorization” and “exceeds authorized access”

One district court held that bypassing a CAPTCHA to view and copy portions of a website that are publicly available does not constitute unauthorized access under the CFAA. Meta Platforms v. Bright Data Ltd., 2024 U.S. Dist. LEXIS 11913, 2024 WL 251406 (N.D.Cal. Jan. 23, 2024). “Meta ‘left the gate open’ by choosing not to place all its content behind a password-protected barrier.” 2024 U.S. Dist. LEXIS 11913 at *21 See also hiQ Labs, Inc. v LinkedIn Corp., 273 F. Supp. 3d 1099, 1113 (N.D. Cal. 2017) (“where an individual employs an automated program that bypasses a CAPTCHA—a program designed to allow humans but to block ‘bots’ from accessing a site—he has still not entered the website ‘without authorization.’… A user does not ‘access’ a computer ‘without authorization’ by using bots, even in the face of technical countermeasures, when the data it accesses is otherwise open to the public.”).

The court in Meta v. Bright Data also concluded that Meta’s terms of service applicable at the relevant time, while they prohibited scraping, only applied to logged in users, not to scraping of publicly available data while logged off. 2024 U.S. Dist. LEXIS 11913 at *44.

2.1.5.3.2 The Outsider Cases: Bots and Scraping

Another Ninth Circuit district court opinion holding that, for CFAA purposes, a cease-and-desist letter could not revoke authorization to access a public website: L’Occitane, Inc. v. Zimmerman Reed LLP, et al., CV 24-1103 PA (RAOx), 2024 U.S. Dist. LEXIS 67470 (Apr. 12, 2024). The opinion was a direct result of the analysis in hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1197-98 (9th Cir. 2022), where the Ninth Circuit reasoned that the CFAA contemplated the existence of three kinds of computer systems: “(1) computers for which access is open to the general public and permission [i.e., authorization] is not required; (2) computers for which authorization is required and has been given; and (3) computers for which authorization is required but has not been given.” Since the L’Occitane website was in the first category, the CFAA was completely inapplicable: A cease-and-desist letter could not revoke authorization for CFAA purposes, since there was no authorization to be revoked.

However, a cease-and-desist letter can help cement a breach of contract claim. See Meta Platforms, Inc. v. Voyager Labs Ltd., No. 23-cv-00154-AMO, 2024 U.S. Dist. LEXIS 92795, 2024 WL 2412419 (May 23, 2024), where Meta alleged breach of contract based on Voyager’s creation of fake accounts and scraping of Facebook and Instagram. The court found that Meta’s cease-and-desist letters plausibly gave Voyager actual knowledge of Meta’s terms, thus providing the basis for the assent necessary to a contract claim.

2.2.3 “reasonable measures”

In WalkMe Ltd. v. Whatfix, Inc., No. 23-cv-03991-JSW, 2024 U.S. Dist. LEXIS 120331 (July 9, 2024), plaintiff alleged violation of the federal Defend Trade Secrets Act and California's Uniform Trade Secrets Act. The court held that the plaintiff’s allegations of the existence of trade secrets were sufficient to survive a motion to dismiss. Plaintiff alleged it had "legal restrictions setting out the limits and obligations of anyone given access to [its] system, password and security controls that require verification of each user's identity, and operational controls that monitor and record usage” of its platform. These, the court held, are the types of actions that can satisfy the “reasonable measures” component of the definition of a trade secret. (The court phrased the prong as whether “the owner has attempted to keep [the information] secret.”) See also, e.g., Inteliclear, LLC v. ETC Global Holdings, Inc., 978 F.3d 653, 660 (9th Cir. 2020) ("Confidentiality provisions constitute reasonable steps to maintain secrecy."); DiscoverOrg Data, LLC v. Bitnine Global, Inc., No. 19-cv-08098-LHK, 2020 U.S. Dist. LEXIS 210494, 2020 WL 6562333, at 5 (N.D. Cal. Nov. 9, 2020) (concluding that "password protection, restrictive license agreements, mail monitoring, and list protection" were types of steps that were sufficient on motion for default judgment to show "reasonable efforts" to maintain secrecy of trade secrets). 

2.4 State Criminal Statutes

Denying a motion to dismiss a civil claim under California Penal Code Sec. 502: WalkMe Ltd. v. Whatfix, Inc., No. 23-cv-03991-JSW, 2024 U.S. Dist. LEXIS 120331 *15-16 (July 9, 2024).

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION

2.1 Computer Fraud and Abuse Act

For a description of the DOJ’s quite remarkable use of the CFAA combined with a search warrant issued under Rule 41 to remove malware from privately-owned computers, see the new Chapter 14.8.

2.1.5.3. “without authorization” and “exceeds authorized access”

On June 3, 2021, the Supreme Court handed down its much-anticipated ruling in Van Buren v. United States, holding that an employee did not “excee[d] authorized access” to a database of his employer, and thus did not violate the CFAA, “even though he obtained information from the database for an improper purpose.” The opinion largely, but not entirely, resolved the circuit split described in the book over whether the CFAA applies to misuse or only to access.

Van Buren was a police officer. He accessed a law enforcement database, which he was authorized to access as part of his job, but he copied the information and offered to sell it to a third party, which was clearly prohibited by his employer’s policies. The purchaser turned out to be an FBI informant. Van Buren was charged and convicted under §1030(a)(2). The Eleventh Circuit affirmed the conviction, but the Supreme Court reversed, holding that the CFAA provision at issue “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.” Slip op. at 1.

The clearest takeaway from the decision is that the CFAA does not apply to employees who misuse data they are otherwise authorized to access. Thus, the circuit split over employee and ex-employee cases is resolved. Relatedly, Nosal II almost certainly stands: Where an employee’s access is affirmatively revoked upon dismissal or other departure, continued access to the corporate system is without authorization and thus is covered by the CFAA.

On other disputes revolving around authorized access, the Van Buren opinion is less clear but offers some prominent pointers. In terms of consumers, it seems very unlikely that violation of terms of service would any longer constitute a CFAA violation. The majority was very concerned by the notion that a ToS violation could yield criminal sanctions: “the Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity” … “criminaliz[ing] everything from embellishing an online-dating profile to using a pseudonym on Facebook.” Van Buren also offers clear signals that terms of service or a cease-and-desist letter do not make competitors’ scraping illegal under the CFAA.

Unfortunately, the Court somewhat muddied its own holding. The majority opinion endorsed Van Buren’s view that liability under both the “without authorization” clause and the “exceeds authorized access” clause “stems from a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” However, the court appended Footnote 8, which states: “For present purposes, we need not address whether this inquiry turns only on technological (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies.”

The Court’s gates-up-or-down theory squares well with the Ninth Circuit’s approach in Facebook v. Power Ventures and hiQ v. LinkedIn. For the Ninth Circuit, the key distinction between the two cases was that the content at issue in Power Ventures was password protected, while the data in hiQ was not. Username and password clearly constitute a gate. Therefore, Facebook could use the CFAA against Power Ventures, but LinkedIn, even with a cease-and-desist letter, could not bar hiQ. Even though Van Buren considered the statute’s “exceeds authorized access” clause and did not directly address the CFAA’s “without authorization” clause, the Ninth Circuit has read Van Buren as reinforcing its conclusion that the concept of “without authorization” does not apply to public websites: Right after deciding Van Buren, the Supreme Court vacated the Ninth Circuit’s 2019 ruling in the hiQ case and remanded for further proceedings in light of Van Buren. Upon remand, in April 2022, the Ninth Circuit reaffirmed its determination that, in effect, the CFAA did not cover scraping of data that is publicly available. The Ninth Circuit reasoned that the Supreme Court’s “gates-up-or-down inquiry” applies to two categories of computers: if authorization is required and has been given, the gates are up; if authorization is required and has not been given, the gates are down. However, the Ninth Circuit said, a defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser. Thus, a computer hosting publicly available webpages has erected no gates to lift or lower in the first place, and therefore the CFAA is inapplicable.

It is important to remember that LinkedIn had taken steps to protect the data on its website from scraping, by setting its “robots.txt” file to prohibit access via automated bots and by employing several other technological systems. Nevertheless, it is clear in the Ninth Circuit that these partial limits, alone or in combination with a cease-and-disist letter, do not bring scraping of an otherwise publicly website under the scope of the CFAA

If the CFAA turns on a gates-up-or-down inquiry, then what is a gate? Username and password are definitely a gate. Terms of service are almost certainly not. A cease-and-desist letter seems hard to distinguish from ToS. Rate limits used by some sites would seem to be more of a speed bump than a gate. An IP address block may be a gate. Robots.txt? CAPTCHAs? Stay tuned.

Of the circuit court cases cited in the book, the Second, Fourth, Sixth, and Ninth Circuits decisions in United States v. Valle, 807 F.3d 508 (2d Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); Royal Truck & Trailer Sales and Service Inc. v. Kraft, 974 F.3d 756 (6th Cir. 2020); and United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) remain good law, although it is probably not even necessary to cite them on the basic question of whether misuse of data violates the CFAA, since Van Buren is clear on that point.

On the other hand, the CFAA access rulings of the First, Fifth and Eleventh Circuit cases, EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010); United States v. Thomas, 877 F.3d 591 (5th Cir. 2017); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); and EarthCam, Inc. v. OxBlue Corp., 703 F. App’x 803, 808 (11th Cir. 2017), are essentially reversed by Van Buren and no longer good law. However, International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006), which had been often cited as a misuse case, is still probably good law, because the theory there was that termination of employment terminated authorization to access. See also Zap Cellular, Inc. v. Weintraub, 2022 U.S. Dist. LEXIS 168735, 2022 WL 4325746 (E.D.N.Y. Sept 19, 2022) (termination of employment terminated authorization to access).

On terms of service, Van Buren largely validates, and certainly does not require any questioning of, Sandvig v. Barr, 451 F. Supp. 3d 73 (D.D.C. 2020) (“violating public websites’ terms of service … does not constitute a CFAA violation under the ‘exceeds authorized access’ provision”), and Cvent, Inc. v. Eventbrite, Inc., 739 F.Supp.2d 927 (E.D. Va. 2010) (scraping publicly available information, though prohibited by terms of use, did not violate CFAA). On the other hand, EarthCam, Inc. v. OxBlue Corp., 703 Fed. App’x 803, 808 & n.2 (11th Cir. 2017), was incorrect in stating that “a person exceeds authorized access if he or she uses the access in a way that contravenes any policy or term of use governing the computer in question” (emphasis added).  CollegeSource, Inc. v. AcademyOne, Inc., 597 Fed. App’x 116, 130 (3d Cir. 2015), was half wrong in suggesting that someone can be prosecuted under the CFAA for “breach[ing] any technological barrier or contractual term of use.” Remember, though, that the Court in Van Buren did leave open that some contractual terms of use might in fact constitute a gate, so the flaw in EarthCam and CollegeSource may be reduced to their categorical acceptance of any violation of a policy.

Note: In May 2022, the DOJ issued a statement that largely rejected, for purposes of the government’s charging policy, the Supreme Court’s suggestion that terms of service could be the basis for an “exceeds authorized access” violation. The new DOJ policy, discussed further in subchapter 2.1.5.3.4 below, states that “The Department will not bring ‘exceeds authorized access’ cases based on the theory that a defendant’s authorization to access a particular file, database, folder, or user account was conditioned by a contract, agreement, or policy, with the narrow exception of contracts, agreements, or policies that entirely prohibit defendants from accessing particular files, databases, folders, or user accounts on a computer in all circumstances.”

A point separate from Van Buren: The CFAA is largely inapplicable to consumer privacy disputes over tracking or data collection. For example, where a consumer downloaded and used a social media app, there was no CFAA violation in the app developer’s collection of information that the app, in the course of usage, communicated to the developer’s server. Wilson v. Triller, Inc., 21-cv-11228 (JSR) (S.D.N.Y. April 18, 2022).

2.1.5.3.1 The Insider Cases—Access vs. Use

In one case after Van Buren, the district court ruled that termination of employment could, depending on the facts, end authorization, such that continuing to access a computer after termination would be access “without authorization.” United States v. Eddings, No. 5:19-cr-00535 (E.D. Pa. June 21, 2021) (“Nothing in Van Buren precludes CFAA liability premised on a theory that an individual whose employment is terminated and who accesses her previous employer’s computer after such termination accesses that computer “without authorization”). In this sense, the court agreed with International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). Referring to the terminated employee, the Eddings court said that “the mere fact that she retained possession of a password which allowed her to access the server post-employment does not, under Van Buren, mean that she necessarily was ‘authorized’ to access the server. Rather, the issue of whether, after she terminated her employment, Denis remained authorized to access the IFC server is properly a question of fact for determination by a jury.” Citing the CFAA’s prohibition on trafficking in passwords, the court stated that mere possession of the means of access of a computer system in the form of a password does not necessarily equate to authorization.

2.1.5.3.2 The Outsider Cases: Bots and Scraping

Illustrating the point made in the book about the availability of laws or doctrines other than the CFAA to address scraping: In September 2021, a federal district court issued a preliminary injunction barring the website Kiwi.com from harvesting, extracting or scraping information from the Southwest airlines website, including Southwest’s flight and fare information, buying Southwest tickets for resale, and otherwise accessing and using Southwest’s website and data for any commercial purpose. The court found that the Terms and Conditions on the Southwest website constituted a valid contract and that Kiwi had breached the terms by scraping Southwest flight data and fare, presenting Southwest flight data on kiwi.com, and selling Southwest flights without authorization. Southwest Airlines Co. v. Kiwi.com Inc., no. 3:21-cv-00098, 2021 U.S. Dist. LEXIS 187768, 2021 WL 4476799 (N.D. Tex. Sept. 30, 2021).

Likewise: Meta Platforms, Inc. v. BrandTotal Ltd., 2022 U.S. Dist. LEXIS 100679 (decided May 27, 2022; filed June 6, 2022). The court granted summary judgment in favor of Facebook on its breach of contract claim against BrandTotal for violating Facebook’s terms of use, specifically section 3.2.3, which reads, “You may not access or collect data from our Products using automated means (without our prior permission) or attempt to access data you do not have permission to access.” The court also granted summary judgment in favor of Meta on the question of whether active collection of data from password-protected portions of Meta's services by BrandTotal violated the CFAA. In September 2022, the parties entered into a settlement, with a permanent injunction barring the defendants from “engaging in or assisting others in data collection (also known as ‘scraping’ and ‘data harvesting’) from Facebook or Instagram, on Defendants’ behalf, whether directly or indirectly through a third party, intermediary, or proxy.”

And in the long-running litigation between LinkedIn and hiQ, the district court ruled in October 2022, on a contract claim, that hiQ had breached LinkedIn’s User Agreement by scraping data from LinkedIn’s site. hiQ Labs v. LinkedIn, no. 3:17-cv-03301 N.D. Cal. Oct. 27, 2022).

2.1.5.3.4 Terms of Service

The book states that the U.S. Department of Justice position on the ToS issue has always been vague. In May 2022, the DOJ issued a new policy statement that substantially clarified its position. There is a lot in the statement, which articulates the Department’s interpretation of the CFAA after Van Buren (without actually mentioning the case). The headline grabber in the policy was the statement that attorneys for the government “should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research,” citing as the definition of “good-faith security research” the language recommended by the Register of Copyrights in “Section 1201 Rulemaking: Eighth Triennial Proceeding to Determine Exemptions to the Prohibition on Circumvention” (Oct. 2021), at 258. The statement also indicated that the department will not charge defendants with “exceeding authorized access” or “exceeds authorized access” under 18 U.S.C. §§ 1030(a)(1), (a)(2), and (a)(4) unless, at the time of the defendant’s conduct, (1) a protected computer is divided into areas, such as files, folders, user accounts, or databases; (2) that division is established in a computational sense, that is, through computer code or configuration, rather than through contracts, terms of service agreements, or employee policies; (3) a defendant is authorized to access some areas, but unconditionally prohibited from accessing other areas of the computer; (4) the defendant accessed an area of the computer to which his authorized access did not extend; (5) the defendant knew of the facts that made his access unauthorized; and (6) prosecution would serve the Department’s goals for CFAA enforcement, as described in the statement.

On the other hand, in a statement that may be relevant to the scraping debate outside the Ninth Circuit, the policy states that, “when authorizers later expressly revoke authorization—for example, through unambiguous written cease and desist communications that defendants receive and understand— the Department will consider defendants from that point onward not to be authorized.”

Like all similar DOJ policy statements, this one states that it is “not intended to, do[es] not, and may not be relied upon to create a right or benefit, substantive or procedural, enforceable at law by a party to litigation with the United States.”

2.5  State Criminal Statutes

After the Van Buren decision, employers and others concerned about misuse of data by authorized users may turn to state law. Texas Penal Code §§ 33.01-33.02 makes it a crime to knowingly access a computer, computer network, or computer system “without the effective consent of the owner,” and consent is not effective if “used for a purpose other than that for which the consent was given.” 33.01(12). 

California Penal Code §502 makes it a crime to –

  • knowingly access and without permission … use any data, computer or computer network in order to defraud or wrongfully control or obtain data;

  • knowingly access and without permission copy or make use of any data from a computer; or

  • knowingly and without permission use or cause to be used computer services

Section 502 includes a civil cause of action, with attorney’s fees and punitive damages. Subsection (h) states, quite confusingly, that the section does not apply to acts within the scope of employment. If an employee is using data or a computer in a way that is prohibited by their employer, is the employee acting within or outside the scope of employment? On the scope of §502, there have been conflicting signals from California state courts. See Chrisman v. City of Los Angeles, 155 Cal. App. 4th 29, 34-35 (2007); People v. Childs, 220 Cal. App. 4th 1079, 1099-1106 (2013).


Last updated: Nov. 20, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.