Collection and Dissemination of Unauthorized Information

Yesterday we concluded the Third Annual UCLA Cyber Crime Moot Court Competition in Los Angeles. This year the moot problem dealt with access of a public website through a scraper program to collect e-mail addresses for the purposes of illustrating security vulnerabilities.

The first issue in the case was roughly modelled after United States v. Auernheimer, 2012 WL 5389142 (D.N.J. 2012), which is expected to appear before the Third Circuit in the near future. In this case, a data breach at AT&T resulted in the theft of personal information of approximately 120,000 AT&T customers through the use of a scraping script.

The script exploited a vulnerability in the website which was intended to communicate with tablets by the provider through a unique URL that was specific for each customer through their Integrated Circuit Card Identifier (“ICC-ID”). This could then be used to obtain the user’s e-mail address.

The accused was sentenced for 41 months in prison for a felony under the Computer Fraud and Abuse Act (“CFAA”). The information here was apparently not used for any monetary purposes, and was instead brought to the attention of several media outlets. The CFAA does not allow an “unauthorized” access of a website, and states,

Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.

The CFAA itself doesn’t define what authorization or authorized access is, so the court looked to the terms of use on a website to look for the intent of the webpage. American courts have treated this requirement under the CFAA differently. The court in United States v. Morris, 928 F.2d 504, 506, 510 (2d Cir. 1991) found that sending a computer virus was a CFAA violation, even though the student involved did so to expose security vulnerabilities. He was authorized to use the computer systems at the university, but only for the intended uses the university had outlined.

In EF Cultural Travel BV v. Explorica, Inc. the First Circuit found that the use of a scraper by a business competitor to obtain competitive price information constituted a violation of the CFAA. Similarly, in United States v. Phillips, 477 F.3d 215, 218-20 (5th Cir. 2007) use of a scraper to copy e-mails was a CFAA violation, but the individual here was a student who had signed a policy specifically agreeing not to perform scans on his university account, and his scans caused the university servers to crash multiple times. The court in Phillips relied on the intended use analysis from Morris, but the scans here also employed social security numbers which are obviously far more sensitive in nature. 

However, a First Circuit decision in EF Cultural Travel BV v. Zefer Corp. looked at a scraper program collecting price information from a competitor and concluded it was not a CFAA violation. They rejected the reasonable expectations test used for determining exceeded authorized access, stating,

We think that the public website provider can easily spell out explicitly what is forbidden and, consonantly, that nothing justifies putting users at the mercy of a highly imprecise, litigation-spawning standard like “reasonable expectations.” If EF wants to ban scrapers, let it say so on the webpage or a link clearly marked as containing restrictions.

The court added that the targeted business would probably dislike the manual accumulation of information of this type as much as they would the scraped information, so the technique used was itself not sufficient to find a violation.

The second issue in the competition dealt with a fictitious extension of the above scenario, where law enforcement officers were able to connect to the accused’s unprotected home wifi network, accessed his home computer, and found a folder with the information obtained above through the scraper. The officers used a “Shadow” device and a laptop to accomplish this. The issue was whether the officer’s conduct amounted to an unreasonable search which would violate the 4th Amendment under the test enunciated in Katz v. United States, 389 U.S. 347 (1967). Under the Katz doctrine, a search occurs when the government action results in obtaining information where an individual has a subjective expectation of privacy, and society is prepared to recognize that expectation as objectively reasonable. In Smith v. Maryland, 442 U.S. 735 (1979) the court held that people do not have a reasonable expectation of privacy in information they have disclosed to Third Parties.

For the first time in this event, the competition was preceded by a symposium focusing on Edward Snowden. The Oxford style debate focused on whether Snowden was a patriot or a traitor, and included the following panelists:

  • Hon. James G. Carr, federal district judge for the United States District Court for the Northern District of Ohio
  • Bruce Fein, attorney to the Snowden family and renowned Constitutional lawyer
  • Stewart Baker, former General Counsel to the NSA and Undersecretary of Homeland Security
  • Jesselyn Radack, Edward Snowden’s attorney and former ethics adviser to the Department of Justice
  • Trevor Timm, founder of the Freedom of the Press Foundation, and writer for The Atlantic, Foreign Policy, The Guardian, Harvard Law and Policy Review, Politico, and Salon

Snowden spoke recently at South by Southwest from Russia, still characterizing his actions as being a whistleblower acting in the public interest,

We have an oversight model that could work. The problem is when the overseers are not interested in oversight. The key factor is accountability.

We need public advocates, public representatives, public oversight, [including] a watchdog that watches Congress.

Following the moot competition Bruce Fine discussed Snowden further in light of Auernheimer and the CFAA. The accused in Auernheimer claimed similar whistleblower defences for his collection and dissemination of the unauthorized information obtained through the scraper script.

In addition to the rule of lenity, the application of the plain meaning rule to the CFAA results in it potentially being unconstitutionally vague. There are serious due process deficiencies in the CFAA, especially in following due process. Those prosecuted under the CFAA may not be provided fair notice, and the terms of service form a contract of adhesion where one party, the website owner, has all the powers of drafting it. We would potentially fall into absurd situations where the drafters of the contract, a private website owner, may have to be called to court to ask them what their intent was behind specific terms of the contract. While this may pass a civil standard, it would not pass a criminal one. Fine anticipated that eventually the courts will say that Congress will not be able to continue to get away with this vagueness.

Fine called for better discipline by Congress, referencing the 2010 comment by House Minority Leader Nancy Pelosi (D-CA)that “we have to pass the bill so that you can find out what is in it, away from the fog of the controversy.”

Fine also discussed the 4th Amendment issues around the fictitious scenario, and suggested that the level of privacy we should be attaining should be comparable to the level of privacy Americans enjoyed in 1791 when the 4th Amendment was ratified. Societal expectations of what is reasonable expectations of privacy under the Katz doctrine is constantly changing and very difficult to assess, and a historical approach to determining privacy interests is much more workable. He referenced United States v. Jones, 132 S. Ct. 945 (2012) found that Katz only supplemented the governmental trespass approach which was used historically. The court found that Maryland could not be applied here, and the 4th Amendment was violated because law enforcement had collected so much locational information from a person who would not expect to be tracked in this manner.

Comments are closed.