Nebraska District Court Holds that Accessing a Computer With An Improper Purpose Exceeds Authorized Accuss Under the CFAA

U.S. v. Kevin Cave, 12-CR-00417 (D. Neb. 2013) the defendant is a former Omaha police officer who had access to a criminal information database while still employed as a police officer.  Before gaining access to the database he was told at his employee training that use of the database was only allowed for legitimate law enforcement purposes.  Despite this, the defendant allegedly sold information from the database to car repo men who paid him up to $200 a pop for leads on the locations of deadbeat car owners.  At all relevant times the Defendant had a valid log in and password, and had full access to the database. The Defense moved to dismiss, largely on the basis of U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) and WEC Carolina Energy Solutions v. Miller, 687 F. 3d 199 (4th Cir. 2012), arguing that misuse of information is not unauthorized access under the CFAA.  The Government fired back with a brief pointing out the pronounced circuit split on the definition of exceeding authorized access and ultimately prevailed. This case is interesting because its factual simplicity belies its legal complexity.  From one corner you can argue that the Defendant was legally authorized to access everything in the database because he was given a log in and password that gave him access to everything in the database.  From that corner the purpose he was obtaining the information for is irrelevant for CFAA purposes when it comes to the question of authorized access.  The Defendant didn’t hack anything and didn’t access any part of the database that he was restricted from.  His misuse of the information he obtained may have been criminal in some non-CFAA related way, but obtaining information you have ready access to is from this view not a CFAA violation. On the other hand, the Defendant was clearly instructed that the only legitimate purpose that authorized him to use the database was one related to law enforcement.  Under this view, it was his derogation of his duty to his employer (under both agency and contract principles ) that caused the Defendant to exceed his authorized access even though his password gave him access to everything.  I find the implications of this view, and its expansive criminalization of agency and contract law troubling.  As Nosal and countless others have pointed out, it risks criminalizing normal internet behaviour that millions of Americans engage in any day.  Nonetheless, there is a good deal of case law supporting it. Here are the key docs: US v Cave S Indictment Cave MTD Gov Opp to Cave MTD U.S. v Cave Mag Judge FR US v Cave Gov Response to Objects to Mag F&R US v Cave Object to Mag FR U.S. v. Cave MTD Denial (TE)      ]]]]> ]]>

Road to Nowhere

In Liminae: The Road to Nowhere

It takes us about six hours to drive to the rural state jail (that’s owned by two judges) the Feds contracted with to hold our client. Accused of computer crimes, he can’t effectively review evidence in jail – there’s no practical access to computers in the gulag. They’ve seized all his assets claiming they’re the ill-gotten gains of crimes the government can’t identify, and their computer forensics – if you can call them that – have no scientific basis and are full of basic errors and typos. In my decade as a federal criminal defense lawyer doing computer cases across the country, I’ve never come across a case where the government was so completely off.

Read More »

Guilty Until Proven Innocent

A defendant’s view from the trenches of federal criminal court This post is originally published to Substack. You can read and follow us there. https://torekeland.substack.com/p/guilty-until-proven-innocent

Read More »

For media inquiries, please email info@torekeland.com

30 WALL STREET, 8TH FLOOR • NEW YORK, NY 10005

©2022 Tor Ekeland Law, PLLC   •  info@torekeland.com

Attorney Advertising   •   Past results do not guarantee future results   •   Licensed in New York