U.S. v. Kevin Cave, 12-CR-00417 (D. Neb. 2013) the defendant is a former Omaha police officer who had access to a criminal information database while still employed as a police officer. Before gaining access to the database he was told at his employee training that use of the database was only allowed for legitimate law enforcement purposes. Despite this, the defendant allegedly sold information from the database to car repo men who paid him up to $200 a pop for leads on the locations of deadbeat car owners. At all relevant times the Defendant had a valid log in and password, and had full access to the database. The Defense moved to dismiss, largely on the basis of U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) and WEC Carolina Energy Solutions v. Miller, 687 F. 3d 199 (4th Cir. 2012), arguing that misuse of information is not unauthorized access under the CFAA. The Government fired back with a brief pointing out the pronounced circuit split on the definition of exceeding authorized access and ultimately prevailed. This case is interesting because its factual simplicity belies its legal complexity. From one corner you can argue that the Defendant was legally authorized to access everything in the database because he was given a log in and password that gave him access to everything in the database. From that corner the purpose he was obtaining the information for is irrelevant for CFAA purposes when it comes to the question of authorized access. The Defendant didn’t hack anything and didn’t access any part of the database that he was restricted from. His misuse of the information he obtained may have been criminal in some non-CFAA related way, but obtaining information you have ready access to is from this view not a CFAA violation. On the other hand, the Defendant was clearly instructed that the only legitimate purpose that authorized him to use the database was one related to law enforcement. Under this view, it was his derogation of his duty to his employer (under both agency and contract principles ) that caused the Defendant to exceed his authorized access even though his password gave him access to everything. I find the implications of this view, and its expansive criminalization of agency and contract law troubling. As Nosal and countless others have pointed out, it risks criminalizing normal internet behaviour that millions of Americans engage in any day. Nonetheless, there is a good deal of case law supporting it. Here are the key docs: US v Cave S Indictment Cave MTD Gov Opp to Cave MTD U.S. v Cave Mag Judge FR US v Cave Gov Response to Objects to Mag F&R US v Cave Object to Mag FR U.S. v. Cave MTD Denial (TE) ]]]]> ]]>
Computer Fraud and Abuse (CFAA) updates and Analysis – March 23, 2022. Court denies Motion to Dismiss in United States v. Thompson. Why this matters for Computer Law?