Court Denies Motion to Dismiss in United States v. Thompson
In United States v. Thompson, No. CR19-159RSL, 2022 U.S. Dist. LEXIS 50099 (W.D. Wash. Mar. 21, 2022) the Court denied defendant’s Motion to Dismiss the criminal indictment charging violations of the Computer Fraud and Abuse Act (CFAA).
The indictment alleges that the defendant created proxy scanners which allowed her to identify Amazon Web Services (AWS) servers that had misconfigured web application firewalls. These misconfigured firewalls permitted outside commands to reach and be executed by the servers.
The indictment says that the Defendant sent commands to the misconfigured servers to obtain security credentials for particular accounts or roles belonging to the victims. Defendant then used these “stolen credentials” to “copy data, from folders or buckets of data” in the victims’ cloud storage space and set up cryptocurrency mining operations on the victims’ rented servers.
The indictment further alleges that defendant concealed her location and identity while executing these actions by using VPNs and TOR. *4-5.
In practice, criminal defendants usually lose motions to dismiss. Often, they’re not filed because it tips the prosecution off to defense theories, or for the simple reason that’s it’s easy for the prosecution to supersede the indictment.
Because Motions to Dismiss theoretically only deal with questions of law, Judges have lots of wiggle room to punt issues to the jury. The Thompson Court punted following a typical line of reasoning.
The Court held that the government properly alleged unauthorized access to a computer, even if the defendant had the ability to access the computer after the owner revoked permission.
Indeed, an order from this Court, cited frequently by defendant, found that where the plaintiff computer-owner had explicitly revoked the defendant’s permission to access its servers, any subsequent access by the defendants was “without authorization” even though, technologically speaking, the defendant still had the ability to access the servers . . . Thus, merely having the technological capability to access a computer is not synonymous with “authorization.” at *8-9.
Assuming this is correct, it doesn’t tell us what authorization “is,” just what it isn’t.
And it goes more to the scope of the definition of authorization than its definition. When the Thompson court defines authorization, it turns to an oft cited definition from the Ninth Circuit’s United States v. Nosal, holding that “without authorization’ . . . means accessing a protected computer without permission.”‘
This is circular. “Without permission” and “Without Authorization” are synonymous and only refer to each other, e.g., permission means acting without authorization and authorization means acting without permission. Standing alone, this definition is meaningless, and an empty metric. As a practical matter the question of authorized access involves a case specific, factual inquiry requiring the application of Computer Law as its own body of law. That involves rejection of doctrines from other bodies of law, like Real Property trespass doctrines, that evolved in contrary environments and yield bad results in the Computer Law context.
Appeals to “common sense” and “common language” can’t help here because those concepts are rooted in the physical world and not networked computers. Applying trespass law – which evolved from Real Property law’s core concept of exclusivity – to computer networks risks irrational and arbitrary results like felony liability for innocuous behavior and grossly disproportionate punishments. If the power to exclude on the internet turns on the whim of the computer “owner,” as in trespass law, you invoke the law of unintended consequences.
In the physical world, if a door to a house is open, entering without permission of the owner is trespass.
That’s a common law default, it’s rational, and works well. But the opposite is true of the internet. If the door is open, the default is that you may enter. Without this default the internet wouldn’t function. For the internet to function it necessarily must be an open network.
If every IP packet traveling across the decentralized network of the internet had to ask for permission to traverse a computer on its route – not only from the server but from the server’s owner – the latency would become unmanageable, if not fatal.
The internet by default is an open network and this has to be the starting point for any analysis of authorization in relation to access and damage to a computer, not common law trespass or dictionary law. Computer Law is different because computers, and those computers networked on the internet, function differently than the world Real Property, Contract, Tort, and Criminal Law evolved in.
Computer Law is now its own body of law.
That is more metaphor than rigid classification. This is not to say it doesn’t share features with other bodies of law, but it is to say that it has features incompatible with those other bodies of law.
Importing concepts from other bodies of law that operate from different paradigms often leads to undesirable results. This is nothing unusual. Courts refuse to bootstrap a breach of contract claim (contract law, no punitive damages) into a tort claim (tort law, punitive damages); you can have one or the other, but not both.
Contract Law’s parol evidence rule excludes extrinsic evidence as to the meaning of a contract; tort law stands in contradiction to this. Real Property Law’s use of feudal Norman law stands contrary to Contract Law. And so on. The idea that the “Law” functions as a unified, objectively determinable field is superstition. Courts choose which body of law to analyze a case with, and the Courts should recognize Computer Law’s emergence as its own body of law and act accordingly, instead of recycling inapplicable concepts from other bodies of law.