,

by James Juo

•

AT AGE 14, Aaron Swartz was working with leading tech­ extortion by threat of damage to a computer.9 In addition nologists to craft standards for openly sharing informa­ to traditional computer hacking, the statute also has tion on the Interner.! He then helped Lawrence Lessig with been asserted against employees who take trade secrets Creative Commons, which promotes the use of simple, stored on their employer's computer before leaving to join standardized copyright licenses that give the public per­ the competition. IO In 1984, Congress enacted the CFAA mission to share and use creative works.2 At 19, he was to criminalize the hacking of computers in connection with a founding developer of Reddit, a widely used social national security, financial records, and government prop­ news Web site where users can post news links and vote erty.11 The statute was originally designed to cover unau­ on them.3 Aaron later became a political activist for thorized access of such protected computers having a Internet freedom and social justice issues and formed the specified federal interesr. 12 advocacy group Demand Progress.4 At 26, facing a crim­ The CFAA has been expanded a number of times. 13 inal trial under the Computer Fraud and Abuse Act For example, a 1994 amendment expanded the statute to (CFAA) for allegedly circumventing computer restric­ allow private entities to assert a civil cause of action and tions to an online database of academic articles, Aaron obtain compensatory damages and other equitable relief. 14 Swartz hanged himself in January.s In 1996, the CFAA was further amended to expand the Since then, Internet groups have criticized the U.S. class of protected computers to include any computer Department of Justice for its prosecution of Swartz, " used in interstate or foreign commerce or communica­ although several legal commentators have noted that the tion."ls In the space of a dozen years, the scope of this CFAA had been interpreted broadly by some courts to criminal statute has gone from a limited set of protected cover similar conduct in other cases.6 According to computers to possibly every computer in the United States Jennifer Granick, the Director of Civil Liberties at the connected to the Interner. 16 Stanford Center for Internet and Society, the CFAA has become a legal regime that as often as not is "used against Without or Exceeding Authorization whistleblowers, disloyal employees, and activists."7 The CFAA prohibits "access without authorization" and "Aaron's Law" has become a rallying cry to reform the "exceed[ingJ authorized access" to a protected com­ CFAA. puter. 17 But the CFAA has been called "remarkably The CFAA is a computer trespass statute that has vague" on this point. 18 What does it mean to access a com­ been called "one of the broadest federal criminal laws cur­ puter without authorization or to exceed authorized rently on the books."8 Prohibited conduct under the CFAA includes theft of computer data, unauthorized James Juo is a partner at Fulwider Patton LLP, a Los Angeles access with intent to defraud, unauthorized access result­ law firm specializing in intellectual property, including patents ing in destruction, trafficking in computer passwords, and and trademarks.

32 Los Angeles Lawyer July/Augu Si 2013 access? Exactly whar makes one person's narrowly because it is a criminal statute, IFerry had an express computer usage policy access authorized and another's unautho­ while others have adopted the broad analy­ that was reflected in an opening computer rized (or exceeded) has been the subject of sis of Citrin. 32 The Ninth Circuit's recent screen warning: "This product is intended much litigation. Such conduct has been decisions in LVRC Holdings LLC v. BrekkaJJ to be used by KornlFerry employees for work alleged to in~lude exploiting code-based secu­ and United States v. Nosal,34 however, appear on KornfFerry business only. "42 rity flaws,19 launching a denial of service to be moving toward a narrower interpreta­ Relying on Brekka, the district court dis­ attack on a Web site,20 "spoofing" IP ad­ tion that does not crimina,lize violations of pri­ missed the CFAA claim because Nosal had d resses to a void access restrictions,21 access­ vate use-based restrictions. pcrmission to access the Korn/Ferry com­ ing information stored on an employer's com­ In LVRC Holdings LLC v. Brekka, the puters.43 The district court also relied on the puter for a competing business,22 allowing an defendant was an employee who, as part of rule of lenity to interpret the CFAA nar­ unauthorized person to use the valid password his job, had computer access to information rowly.44 A three-judge panel of the Ninth of another,23 and violating a Web site's terms regarding LVRC's addiction treatment busi­ Circuit reversed the district court on appeal.45 of service.24 ness, including financial statements, budgets, Distinguishing the earlier Brekka decision in Should the question of authorization be and other reports.35 Brekka traveled between which the defendant "had unfettered access focused on the means used to obtain the his Florida home and Nevada for work and to the company computer," the panel noted data (e.g., whether the defendant is alleged e-mailed LVRC business documents to his that KornlFerry had "clear and conspicuous to have broken into the computer system), and his wife's personal e-mail accounts. LYRC restrictions" on an employee's computer or should it further look to whether the and Brekka did not have a written employ­ access.46 The panel held that "as Ilong as the obtained data was used improperly? Under ment agreement, and LVRC had no employee employee has knowledge of the employer's the latter approach, if a disloyal employee guidelines that would have prohibited employ­ limitations on that authorization, the were to access commercial information on ees from e-mailing LVRC documents to per­ employee 'exceeds authorized access' when the employer's computer for any purpose sonal computers. After Brekka left the com­ the employee violates those limitations. "47 other than that authorized by his or her pany, LVRC became concerned that Brekka The Ninth Circuit reheard Nosal en banc job, there could be liability under the CFAA. had e-mailed LVRC documents to himself to and reversed the panel decision and affirmed In recent years, many plaintiffs have used the fu rther his own interests ra ther than those of the district court.4H Writing for the majority, CFAA to federalize cases that otherwise LVRC)6 Chief Judge Alex Kozinski gave a litany of would have been treated as traditional trade The Ninth Circuit expressly rejected hypothetical examples of adverse conse­ secret cases but for the involvement of a Citrin's broad interpretation of the CFAA, quences that may arise from giving the force computer.25 Some recent court decisions, noting that nothing in the plain language of of criminal law to a private party's computer however, have adopted a narrower inter­ the statute suggests that liability for accessing use policies. Numerous dating Web sites, for pretation, so whether such a plaintiff would a computer without authorization turns on instance, have terms of service that "pro­ be successful may depend on which court­ whether the defendant breached a duty of hibit inaccurate or misleading information." house hears the case. loyalty to an employerY Brekka was autho­ Under the government's proposed interpre­ In International Airport Centers, L.L.c. rized to use LVRC's computers while he was tation of the CFAA, "describing yourself as v. Citrin, the Seventh Circuit relied on the employed at LVRC, so he did not access a 'tall, dark and handsome,' when you're actu­ agency relationship between an employee computer "without authorization" under the ally short and homely, will earn you a hand­ and employer to determine whether access CFAA when he e-mailed documents to him­ some orange jumpsuit."49 was authorized.26 The defendant, Citrin, self prior to leaving LVRC.38 "Nor did email­ Moreover, because a Web site's terms of decided to start his own business in compe­ ing the documents 'exceed a uthorized access,' service or an employer's policies may change tition with his employer, International Airport because Brekka was entitled to obtain the at any time with little or no prior notice, Centers (lAC). Before leaving, Citrin used a documents." 39 The court further noted the rule what was lawful conduct one day could secure-erase program that permanently erased of lenity, which requires courts to limit the become unlawful the nexr. 50 The court sug­ all the data (presumably including evidence reach of criminal statutes to their plain mean­ gested that the CFAA would be unconstitu­ of his allegedly improper conduct) on a lap­ ing and to construe any ambiguity against tionally vague if violating a Web site's terms top provided to him by IACP Citrin "knew the government in order to avoid imposing of service (which typically are written to give the company had no duplicates of [the unexpected burdens on the defendant.4o the Web site's owner a broad right to cancel destroyed data]."28 accounts without liability) could be construed The court noted that an employee's autho­ Nosal to be unauthorized or to have exceeded autho­ rization to access the employer's computer In United States v. Nosal, Nosal was a high­ rized access under the CFAA.51 data is based on the agency rela tionship level employee at executive search firm Korn The tendency of a mind to "wander" and between the employer and employee, and lFerry International. When Nosal decided to people to "procrastinate" by connecting to the Citrin's authorization ended when he leave, he signed an agreement to continue Internet at work for a nonwork purpose breached the duty of loyalty to IAC.29 "[T]he working for KornlFerry as an independent "would make criminals of large groups of authority of the agent terminates if, without contractor in order to complete several ongo­ people who would have little reason to sus­ knowledge of the principal, he acquires ing projects, and he agreed not to compete pect they are committing a federal crime."52 adverse interests or if he is otherwise guilty against KornlFerry for one year.41 During For other improper conduct involving a com­ of a serious breach of loyalty to the princi­ that time, however, Nosal accessed confi­ puter, laws such as wire fraud, trade secret, pal."30 This interpretation of access under the dential and proprietary information in the or contract law may apply instead.53 The CFAA-finding liability for violations of cor­ KornJFerry computer system to obtain cus­ court concluded that the "exceeds autho­ porate computer use restrictions or viola­ tomer lists and other trade secrets for a com­ rized access" language "in the CFAA is lim­ tions of a duty of loyalty-was adopted by the peting business that he was starting. Several ited to violations of restrictions on access to Fifth and Eleventh Circuits as welL3! employees also helped access the KornlFerry information, and not restrictions on its use."54 Some district courts, however, ha ve computer system to obtain confidential infor­ The Ninth Circuit's narrow interpreta­ observed that the CFAA should be construed mation and trade secrets for Nosal. Korn tion of the CFAA in Nosal has since been

34 Los Angeles Lawyer July/August 2013 adopted by the Fourth Circuit and by district helmet) entering the wiring closet and remov­ Fourth Circuits. The CFAA prohibits more courts in other circuits,55 but a circuit split ing the laptopJ2 Later that day, he was than just traditional hacking, and Swartz remains between Nosal and Citrin. arrested. ]STOR declined to pursue legal may have found himself on the wrong side of action against Swartz aftet he turned over his the circuit split. The Facts of the Swartz Case hard drives, which contained 4.S million The Swartz case was pending in the Dis­ Aaron Swartz once wrote, "Stealing is wrong. JSTOR documentsJ3 In July 2011, however, trict of Massachusetts, and the First Circuit But downloading isn't stealing. "56 In 200S, a federal indictment charging Swartz with previously had taken a broad interpretation Swartz wrote a computer program that violations of the CFAA was unsealed in the of the CFAA in a case in which the plaintiff rapidly downloaded millions of pages of U.S. District Court for the District of had sought to prevent a competitor from court filings from PACER after a pilot pro­ MassachusettsJ4 He was accused of violat­ using an auromated computer program gram was started to allow free access to ing JSTOR's use policies and circumventing (referred to as a scraper) that would down­ PACER.57 Swartz's downloads were then ]STOR's and M1T's technical restrictions. A load the contents of its public Web site to cre­ made freely accessible on the servers at pub­ press release by the U.S . Attotney's Office ate a competing travel service.B! Although lic.resource.org. 58 Shortly thereafter, the gov­ ernment ended the pilot project of free access for PACER.5 9 The FBI investigated Swartz but closed its file in 2009.60 About a year later, Swartz allegedly attempted to access and rapidly download a large numbet of academic articles from JSTOR, a nonprofit that provides a searchable database of digitized articles archived from over 1,000 academic journals.6! Libraries and universities pay a subscription fee fot access to JSTOR's collection of digitized jour­ nals.62 JSTOR's terms of service prohibit downloading or exporting documents from JSTOR using automated computer pro­ grams.63 JSTOR also uses technical measures to prevent automated downloading.64 Swartz allegedly used a laptop connected to the computer network of the Massachusetts Institute of Technology (MIT), a JSTOR sub­ scriber, to access JSTOR.65 (MIT has a very permissive computer culture, and its network is open and available to anyone on campus. Anyone on the MIT campus could have sta ted that Swartz"faces up to 35 years in the Fitst Circuit would not infer a prohibition access to ]STOR.66) In response to Swartz's prison, to be followed by three years of under the CFAA against automated access, the rapid downloading ofJSTOR articles, JSTOR supervised release, restitution, forfeiture and circuit did state in dicta that explicit restric­ blocked the Internet Protocol (lP) address for a fine of up ro $1 million."75 tions set forth on a public Web site's terms of MIT that had been assigned to Swartz's lap­ Later, Carmen M. Ortiz, the U.S. Attorney service could be enforced under the CFAA.B2 top. Swartz then established a new IP address overseeing the case, stated that "stealing is Thus, a Massachusetts court may not have on the MIT network to sidestep ]STOR's stealing, whether you use a computer com­ followed Nosal's narrow interpretation of block.67 ]STOR complained to MIT about mand or a crowbar, and whether you take the CFAA, which would have excluded terms­ this, and MIT blocked the Swartz laptop documents, data or dollars. "76 It has been of-service violations. Swartz was offered a from its network based on the laptop's MAC reported that the government asserted the plea bargain requiring a felony conviction, address, which is a unique identifier assigned documents downloaded from ]STOR were under which the government would recom­ to each computer's network interface.6B worth $2 miliionJ7 The downloaded docu­ mend a prison term (although his defense Swartz avoided MIT's block by changing ments apparently included publications such counsel could argue to the judge for proba­ (or spoofing) his laptop's MAC address.69 as the 1942 edition of the Journal of Bo­ tion instead).B3 Faced with the government's The cat-and-mouse game continued tanyJB As Lessig argued, "[A)nyone who demand for jail time, Aaron Swartz took his about two weeks until Swartz physically says that there is money to be made in a own life in ]anuary.B4 plugged his laptop directly into MIT's com­ stash of ACADEMIC ARTICLES is either puter network in an unlocked wiring closet an idiot or a liar. "79 Aaron's Law located in a basement on MIT's campusJo A com puter expert for the defense asserts In the wake of Swartz's death, there have There, he allegedly continued to download that Swartz did not hack ]STOR under any been several proposals to amend the CFAA. articles from JSTOR. MIT traced the loca­ reasonable definition-Swartz did not use These proposed amendments have been tion of the laptop in the closet and decided parameter tampering, break a CAPTCHA, or referred to as Aaron's Law. to treat the downloading as a ctiminal mat­ do anything more complicated than auto­ Orin Kerr, a professor at the George Wash­ ter. Local police were called and were joined mate a process that downloads a file in the ington University Law School and a former by a Secret Service agent, who recommended same manner as clicking Save As from a federal prosecutor, has proposed a number of installing a surveillance cameraJ! In early browser. BO It is unclear whether this defense changes to the CFAA, including "(1) elimi­ ] an ua ry, the ca mera alleged Iy recorded would have been successful, even with the nating liability for exceeding authorized Swartz (with his face obscured by a bicycle recent case law developments in the Ninth and access, (2) tightening the felony thresholds

los Angeles lawyer July/August 2013 35 throughout the statute, and [3) eliminating acceptable use policy or terms of ser­ F. Supp. 2d 766, 771 (2008). several sections of the statute, including.. . vice agreement with an online service 11 The CFAA was a 1986 amendmenr ro 18 U.S.c. §1030, bur rh e convenrion is ro refer to §1030 as a the civil liability provision which is chiefly provider, Internet website, or employer; whole as rh e CFAA. The original 1984 sra rure was responsible for the overly expansive read­ or (ii) efforts to prevent personal iden­ called rhe Comprehensive Crime Conrrol Acr (CCCA). ings of the statute. "85 Kerr also proposed tification of a computer user, or iden­ Orin S. Kerr, Vagueness Challenges to the Computer that "access without authotization" mean tification of a user's hardware device or Fraud and Abuse Act, 94 MINN. L. REV. 1561, 1561 "to circumvent technological access barriers software, through a user's real name, n.2, 1563-64 (2012) Ih ereinafrer Kerr]. ro a computer or data without the express personally identifiable information, or 12 Marrhew Kapiranyan, Beyond WarCames: Ho w the Computer Fraud and Abuse Act Should Be or implied permission of the owner or oper­ software program or hardware device Interpreted in the Employment Context, 7 115: J.L. & ator of the computer. "86 Kerr later posted a identi fier( s).96 POI.'Y FOR THE [NCO. SOC'Y 405, 410 (Winrer 2012). series of scenarios in an attempt to help iden­ In March, a group of Internet companies 13 Kerr, supra nore 11, ar 1566. tify what should be the proper line between and organizations signed a letter to the House 14 ld. (c iring 18 U. S.c. §1 030(g)). authorized and unauthorized access ro a Subcommittee on Crime, Terrorism, and 151d. at 1567-68 (ciring 18 U.S. c. §1030(e)(2)). 16 ld. ar 1571. computer.87 The scenarios include examples Homeland Security in support of the efforts 17 See 18 U.s.c. §1 030(a)(2); see also Jennifer Granick, of circumventing cookie-based restrictions led by Lofgren to reform the CFAA.97 Thoughts Oil Orin Kerr's CFAA Re(orm Proposals: A and CAPTCHA gates.88 Even with the bipartisan suppOrt of Creat Second Step, The Cenrer for Inrernet and Sociery The Electronic Frontier Foundation (EFF) Representative Darrell Issa and Senaror Ron (Jan. 23, 2013), hrrps:llcyberlaw.sranford.edu/blog has proposed defining "without authoriza­ Wyden, the fate of these proposals is uncer­ 12013/01 Irhoughrs-orin-kerrs-cfaa-re form-proposa Is -grear-second-srep Jherei nafrer Granick, Thoughtsl tion" to mean "to circumvent technological tain.98 As Tim Wu, a professor at Columbia ("Hisrorically, rhe CFAA partirioned rhe world of com­ access barriers to a computer, file, or data Law School, has observed, "Congress rarely puter criminals into rwo' camps, oursidus who 'access without the express or implied permission scales back criminal laws. "99 Moreover, pro­ without authorization' and wayward insiders who abuse of the owner or operator of the computer to posals ro narrow the scope of a criminal their position of trust to 'exceed 3uthorii".ed access' and access the computer, file, or data, bur does not statute often include provisions for increased obrain informarion rhey were nor enrirled ro."). 18 Investigating and Prosewtillg 21st Century Cyber include circumventing a technological mea­ penalties.IOo According to Lofgren, the effort Threats: Hearing be(ore Ullited States House of sure that does not effectively control access to pass Aaron's Law "will likely take sub­ Representatives Subcommittee on Crime, Terrorism, to a computer, file, or data. "89 The EFF wants stantial time and require sustained and intense Homeland Security and Investigations, 113rh Congo 1 to avoid penalizing "people who have per­ support."'Ol Time will tell whether Aaron's (Mar. 13,201 3) (wrincn sraremenr of Orin S. Kerr), mission to access data but use light technical Law will become law. • available at hrrp:l/www.vo lok h.com/wp-conrenr lupioads/2013/03/KerrCFAATesrimony20 13.pdf. workarounds to access that data. "90 Language 19 See, e.g., Unired Srares V. Morris, 928 F. 2d 504, in the EFF proposal appears to be borrowed 1 Tim Carmody, Mem ory to Myth: Tra cing Aaron 505 (1991) (using an In remer "worm" to exploir a secu­ TH E VERGE Uan. from the anticircumvention provisions of the Swartz through the 21st Century, riry flaw in a compurer's programm ing code); 22, 2013), http://www.rheverge.com/201 3/1/22 Digital Millennium Copyright Act, which YourNerDaring, Inc. V. Mirchell, 88 F. Supp. 2d 870, 1389858/aaron·swarrz·profile-memory-ro-myrh. have been interpreted to mean that a tech­ 871 (2000) (hacking a daring service Web sire and 2 La wrence Lessig, LESSI G BLOG, Pr osecutor as Bully, diverring irs users ro a porn sire). nological measure restricting one form of v2 (Jan. 12, 20]3 ), http://lessig.rumblr.com/posr 20 See, e.g., Pulre Homes, Inc . V. Laborers' Inr'l Union access but leaving another route wide open 140347463044/prosecuror·as-bully [hereinafrer Lessig]. of N. Am., 648 F. 3d 295, 299-98 (6rh Cir. 2011) J Larissa MacFarquhar, THE does not "effectively contro.1 access" and Requiem (or a Dream, (impairing a compurer nerwork by dirccring a large would not be given the force of law. 91 This NEW YORKER (Mar. 11,2013), hrrp://nyr.krlZUnMMv amounr of e-mail ar a specific address). [hereinafrer MacFarquharl. appears intended to exempt IP and MAC 21 See, e.g., Four Seasons Horels & Resorrs B.V. v. 4 See DEMAND PROGR ESS, hrrp://www.demand­ address spoofing and similar forms of tech­ Consorcio Barr, S.A ., 267 F. Supp. 2d 1268, 1298 progress.orgl (Mar. 25, 2013); see also Jusrin Perers, (S.D. Fla. 2003) ("ISlpoofing is forging an IP address nological circumvention that Swartz was The Idealist: Aaron Swartz Wanted to Save the World. so rhat when a person receives a data packet or com­ 92 Why Couldn't He Save Himsel(?, SLATI (Feb. 7,2013), accused of committing. The EFF also has a munication they believe it is coming fro m somewhere link on its Web site encouraging people to take hrrp:!lslare.meiYevwGC [hereinafter Percrsl. else."), a(rd in part, rev'd in part , 138 F. App'x 297 5 John Schwarrz, Internet Activist, a Creator o( RSS, Is action to amend the CFAA.93 (11 rh Cir. 2005); Facebook, Inc. v. Power Ventures, N. Y. TIMES Uan. 12, Dead at 26, Apparently a Suicide, Inc., 844 F. Supp. 2d 1025, 1037 (N.D. Cal. 2012) Representative Zoe Lofgren has posted a 2013), hrrp:l/www.nyrimes.comf2013/01113Irechnology ("[OJne of the objecrives of rhe [proxy sysreml design draft bill, christened as "Aaron's Law, " to /aa ron -swa rrz- i nre rnet-acti vise-d ies-a r- 26. htm l? _r=O was ro reconfigure rhe IP connecrions if an II' address revise the CFAA.94 A revised draft of the bill Ihereinafrer Schwartzi. was blocked. "). 6 See, e.g., Orin Kerr, The Criminal Charges against eliminates the "exceeds a uthorized access" n See, e.g. , Mears by Linz, Inc. V. Dear, No. 10-1 51 1­ language from the statute and adds a more Aaron Swartz (Part 1: The Law), TH E VOLOKH CON­ 0,2011 WL 1515028, ar ' 1 (N. D. Tex. Apr. 20, 2011) SPIRACY Uan. 14, 2013), hrrp:llwww.volokh.eomf2013 detailed definition of "access without autho­ (downloading employer's confidential information afrer 10] 114/aaron-swartz-charges; Jennifer Granick, With the hou rs and rh en e-mailing resjgnarion rwo hours larer). rization."95 The revised draft states: CFA A, Lm" and Justice Are Not the Same: A Response 23 See. e.g., Stare Analysis, Inc . v. American Fin. Scrvs., "[A]ccess without authorization"­ to Orin Kerr, TH E Ce'dLR FOR INTERNET AND SOCIETY 621 F. Su pp. 2d 309,316 (£.0. Va. 2009) ("KSE (Jan. hrrps:llcyberlaw.sranford.ed ulblog (A) means (i) to obtain or alter infor­ 14 , 201 3), accessed SrareScape's Web sire usi ng usernames and mation on a protected computer; (ii) 1201310 lIefaa -Ia w-a nd-jusrice-a re ·nor-sa me-response passwords rhar did nor belong ro ir. "). O-orin-kerr. that the accesser lacks authorization to 24 See, e.g., America Online, Inc. V. Na rional Healrh 7 Jennifer Granick, Towards Learning (rom Losing obtain or alter; and (iii) by circum­ Care Discount, Inc., 121 F. Su pp. 2d 1255, 1260 (N.D. Aaron Swartz, TrlE CENTIR FOR INTER:-JET AND SOCIITY Iowa 2000) (violaring AOL's rerms of service ro send venting one Ot more technologica I (Jan. 14, 2013), hrrps:llcyberlaw.sranford.edll/blog bulk e- mail). 120 13/01lrowards-learning-losing-aaron-swa rtz Ihere­ measures that exclude or prevenc unau­ 25 See, e.g., Chas. S. Winner, Inc. V. Polisrina, 2007 WL thorized individuals from obtaining inafrcr Gra nick, Learningl. 1652292, ar '2, (D. N.j. Jllne 4, 2007) ("Absent diver­ 8 Paul j. Larkin, Jr., Unired Srares v. Nosal: Rebooting or altering that information; and (B) siry jurisdiction, a case of rhis kind so unds in state statu­ the Computer Fraud and Abuse Act, 8 SHON HALL CIR. rory and common law and is hea rd in srare courr."). does not include the following, either Rrv. 257, 261 (2012); see also id. 261nternarional Airport Crrs., L.L.c. V. Cirrin, 440 F. in themselves or in combination-(i) a 918 U.s.c. 1030. § 3d 418 (7rh Cir. 2006). violation of an agreement, policy, dury, 10 See Incorp Servs. Inc. v. Incsmarr.Biz Inc., No. 11­ 271d. ar 419-20. or contractual obligation regarding 4660, 2012 WL 3685994, ar ' 4 (N.D. Cal. Aug. 24, 28 1d. ar 421. 2012); American Family Mur. Ins. Co. v. Rickman, 554 Internet or computer use, such as an 29 Id.; see also Shurgard Storage Crrs., Inc. V. Safeguard

36 Los Angeles Lawyer July/August 2013 Self Storage, [nc., 119 F. Supp. 2d 1121,1125 (W.E. ?_r=O [hereinafrer Schwanz]. grear pracrical risk in pleading ro a felony) Wash. 2000) (cited and relied upon by Citrin). 58 Ryan Singel, FBI Investigated Coder for Liberating S4 Peters, supra note 4; see also Lessig, supra note 2 30 Citrin, 440 F. 3d at 421. PaywaJled Court Records, WIRED (Oct. 5, 2009), ("[TJhe quesrion rhis governmenr needs ro answer is 31 United States v. John, 597 F. 3d 263, 273 (5th Cit. hrtp:llwww.wired.comithrearleveV2009110/swanz-fbi why ir was so necessa ry thar Aaron Swartz be labeled 2010) (bank employee accessed cuStomer accounts for [hereinafrer Singel]. a 'felon.' For in rhe 18 months of negotiations, rhat was the purpose of incurring fraudulent charges on those 59 Schwarrz, supra note 57. The RECAP add-on for the whar he was not willing to accepr."). accouors); United States v. Rodtiguez, 628 F. 3d 1258, Firefox browser now allows userS to auromatically 85 Orin Kerr, Proposed Amendments to 18 U.S.c. 1030, 1263 (II th Cir. 2010) (employee of the Social Security save paid-for coun filings downloaded from PACER THE VOLOKH CON SPIRACY (jan. 20, 2013), hrrp:llwww Administration used an SSA database for personal Onto a public server thar can later be accessed for free .volokh.com/201310 I120/proposed-amendments-ro , reasons). by orher RECAP users. Singel, supra nore 58. -18-u-s-c-I0301. J2 Compare ViChip Corp. v. Lee, 438 F. Supp. 2d 60 Id., see also Aaron Swartz, Wanted by the FBI, RAW 86 Orin Kerr, Proposed Amendments to 18 U.s. c. 1087, 1100 (N.D. Cal. 2006) (following Citrin's broad THOUGHT (Ocr. 5, 2009), hrrp://www.aaronsw 1030, THE VOLOKH CONSPIRACY (Jan. 20, 2013), interpretation of CFAA) with United States v. Drew, .com/weblog/fbifile. hrrp:llwww.volokh.comlwp-contentluploads/201310 1 259 F.R.D. 449, 467 (C.D. Cal. 2009) (noting that a 61Superseding Indicrment at '1 , Unired States v. Swanz, IAmendedl0302.pdf. broad interpretation of the CFAA would result in a No. 11-cr-l0260, Dkr. No. 53 (D. Mass. Sepr. 12, 87 Orin Kerr, M ore Thoughts on th e Six CFAA "standardlcss sweep"). 2012). Scenarios about Authorized Access vs. Unauthorized JJ LVRC Holdings, LLC v. Brekka, 581 F. 3d 1127 (9th 62 1d. ar 2. The subscriprion fees are shared wirh rhe Access, THE VOLOKH CONS PIRA CY (jan. 28, 2013), C ir. 2009). publishers who hold the original copyrights. Id. http://www.volokh.coml201310 1/2811 nore-rhoughrs-on

34 United States v. Nosal, 676 F. 3d 854 (9th Cir. 6J Id. -the-six -cfaa -see n a r ios-a bo u [ - 3 urhori zed -access- vs 2012) (en banc). 64 1d. -u nau rhorized-access/. 35 Brekka, 581 F. 3d at 1129-30. 65 Id. ar 4. (Swan z regisrered under rhe name "Gary "Id. 36 1d. Hosr" and gave his compurer the client name "ghosr S9 Cindy Cohn & Marcia Hofmann, Part 2: EFF's J7{d. at 1134. laptop. ") Id. Additional Improvements to Aaron's Law, DEEPLI NKS 3S Id. at 1135. 66 Id. at 2; see also MacFarquhar, supra note 3. BLOG (jan. 23, 2013), hrrps:llwww.eff.org/deeplinks 39 Id. at 1129. 67 Superseding Indictment, supra note 60, ar 5. jSTOR 1201310 I/pan-2 -effs-additional-illlprovemenrs-aarons 40 rd. at 1134; see also Warren Thomas, Lenity on Me: also remporarily blocked orher II' addresses ar MIT. Id. -law [hereinafer Cohn & Hofmann]. LVRC Holdings LLC v. Brekka Points the Way toward ar 6. 90 Id. Defining Authorization and Solving the Split over the 68 1d. 91 Granick, Thoughts, supra nore 17 (citing Lexmark lm'l, Computer Fraud and Abuse Act, 27 GA. ST. U. L. 69 (d. ar 7. Inc. v. Sraric Control Components, jnc., 387 F. 3d 522 REV. 379,400 (2011). 70 Noam Cohen, How M.I.T. Ensnared a Hacker, (6th Cir. 2004)); but see Srewarr Baker, A Dubious 41 United States v. Nosa l, 676 F. 3d 854, 856 (9th Bucking a Freewheeling Culture, N.Y. TIMES Uan. 20, Proposal (or Amending the Computer Fraud and Abuse Cir. 2012) (en banc). 2013), http://www.nyrimes.com/2013/o1 /21/technology Act, THE VOL OKH CONSPIRACY (jan. 28, 2013), 421d. at 856 n.1. Ih ow-mit-en sn a red -a -hacke r- bucki ng -a -f reewhee ling http://www.volokh.coml2013/0 1/28/a-dubious-proposa I 43 United States v. Nosal, No. 08-0237, 2010 WL -cu Iru reo h tml 'pagewanted=a II. -for -a mend i ng-the-compurer-f ra u d -a nd-a b u se-actl. 934257, at '7 (N.D. Cal. Jan. 6, 2010), rev'd, 642 F. 71 Morion ro Suppress No.1 ar 3-5, United Stares v. 92 Cohn & Hofmann, supra note 89; see also EFF, Ex­ 3d 781 (9th Cir. 2011), rev'd en banc, 676 F. 3d 854 Swam, No. II-cr-l0260, Dkr. No. 59 (D. Mass. OCt. planation of Effecrs of Aaron's Law with EFF Proposed (9th Cir. 2012). 5,2012); see also Two Days Be(ore MIT and Amendmenrs ro " Access Wirhour Authorizarion" Uan. 441d. Cambridge Cops Arrested Aaron Swartz, Secret Service 23, 2013), h trps://www.eff.org/sires/defa ulr/files 45 United States v. Nosal, 642 F. 3d 78 1, 789 (2011), Took Over the Investigation, EMPTY WHEEL (Jan. 13, /Explanarion%200f%20Aaron%E2%80%99s%20Iaw rev'd en bane, 676 F. 3d 854 (2012). 2013), hrrp:llwww.e mprywheel.ner/201 310 1113Irwo %20with%20EFF%20access%20amendments.pdf 461d. at 787. ("Because LVRC had not notified Brekka -da ys-before-ca m bri dge-cops-arresred-aaron-swa rrz (public discussion drafr). of any restrictions on hi s access to (h e computer, -secrcr-servicc-rook-over-rhe-invesrigarion! (arguing [hat 93 EFF.org, The Computer Fraud and Abuse Act Is Brekka had no way to know whether-or when-his under rhe Secret Service's Electronic Crimcs guide­ Broken. Tell Congress to Fix It, hrrps:llacrion.eff access would have become unauthorized.") Id. lines, the agency should not have been involved). .org/o/9042/p/diaiaction/publid?action_KEY = 9005. 47 1d. at 788. But see id. at 790 (Campbell, J., dis­ n Peters, supra note 4; see also Superseding Indictmellt, 94 Adam Clark Estes, The Congressional Backlash over senting). supra nore 60, at 8. Aaron Swartz's Suicide Has Begun, TH E ATl.ANTI C 48 United States v. Nosal, 676 F. 3d 854, 863-64 (2012) 73 See Lessig, supra note 2. W,RE (jan. '15 , 2013), http://www.rheatlanticwi re (en banc). 74 Press Release, United States Attorney's Office for the .com/pol itics120 1 310 I Icongressiona I-backIash-over 49 1d. at 861-62. District of Massachusetts, Alleged Hacker Charged -aaron-swartzs-suicide-has-begunl61 04 8/. 10 Id . at 862. wirh Stealing over Four Million Documents from MIT 95 Discussion Draft, http://lofgren.house.gov/images Slid.; see also United States v. Drew, 259 F.R.D. 449, Nerwork (July 19, 2011), hrrp:llwww.justice.gov Istorieslpdflaarons%20Iaw%20revised %20draft%2001 466 (C.D. Ca l. 2009) (finding the CFAA did not apply lusao/ma/newsl20 11/j uly/Swa rtzAaronPR.htmll here­ 30n.pdf. to vio lations of a Web sire's terms of service). inafrer Press ReleaseJ. 96 Jd.; see also Orin Kerr, Draftil1g Problems with the 52 Nosal, 676 F. 3d at 859-60. 75 Id. See also Steven Musil, U.S. Allorney De(ends Second Version o( "Aaron's Law" (rom Rep. Lofgren, 531d. at 863. Office's Conduct in Aaron Swartz Case, C NET (Jan. THE VOLOKH CONSPIRACY (Feb. 2, 2013), http://www \4 Id. at 864. In a jury trial after the remand, Nosal was 16, 2013), http://news.cner.com/8301-1023_3­ .volokh.com/20 13102/02/d ra fting-problems-with-the found guilty of violating the C FAA because he used a 57564414-93/u .s-artorney-defends-offices-conduct-in­ -secon d -ve rsion-0f -a a rons-I a w-fr om-rep-I 0 fgren. borrowed password ro access KornlFerry's computer aa ron-swartz-casel. 97 See Mark M. jaycox, Startups and Innovators S.. td database. See Vanessa Blum, Nosal Found Guilty in 76 Press Release, supra note 74. Leller to Congress Demanding CFAA Re(orm, Trade Secret Case, TIlE RrCORDER (Apr. 24, 2013), 77 MacFarquhar, supra note 3. DEEPI.INKS BLOG (Mar. '12, 2013), https:ll",ww http://WW\v.law.comljsp/ca/PubArticieCA.jsp·id=12025 781d. .e ff. org/deeplinks/20 I 3103/sra rru ps-and-i n novators 97433473. Nosal's attorneys vowcd ro appeal the ver­ 79 Lessig, supra notc 2 (e mphasis in original). -send-Ierre r-congress-d emandi ng-c faa -refor m. dicr. Id. BO Alex Sramos, The Truth About Aaron Swartz 's 98 Tony Romm, After Activist Aaro/J SwarU's Death, .55 See WEC Carolina Energy Solurions LLC v. Miller, "Crime," UNHAN DLED EX CEPTION (Jan. 12, 2013), a Tough Slog (or A aron's Law, POLITICO (Feb. 8, 687 F. 3d 199, 203 (2012); Dana Ltd. v. American http://unhandled .com/20 13101/121rhe-truth-abour 2013), http://politi.co/XVjnau Ihereinafrer Romm). Axle & Mfg. Holdings, Inc., No. 10-450,2012 WL -aa ron-swa rrzs-crime/. 99 Tim Wu, Fixing the Worst Law in Technology, TH E 2524008, at '4-5 (W.O. Mich. June 29, 2012); 81See EF Cultural Travel BV v. Zefcr Corp., 318 F. 3d NEW YORKER N EWS DE.'K (Mar. 18,2013), hrrp:llnyr Wenrwoth-Douglass Hosp. v. Young & Novus Prof'l 58 (I st Cit. 2003) (EF Cultural II); EF Cu ltural Travel .kr/YCubsS. Assoc., No. 10-120,2012 WL 2522963, at "'3-4 (D. BV v. Explorica, Inc., 274 F. 3d 577 (1st Cir. 2001) (EF 100 See Orin Kerr, Recent Developments-Both ill Conn. june 29, 2012); JBCHoldings NY, LLC v. Cultural I). the Courts and in Congress-on the Scope o( the Pakrer, No. 12-7555,2013 WL 1149061, at· 5 (S.D. 82 EF Cultural II, 318 F. 3d ar63. Computer Fraud and Abuse Act, THE VOLOKH N.Y. Mar. 20, 2013). 8J MacFarquhar, supra note 3; see also jennifer Granick, CONSP IRACY (july 30, 2012), http://www.volokh.com 56 See hrrp:llwww.aaronsw.co miweblog/001112. Towards Learning (rom Losing Aaron Swartz: Part 2, 1201 2/07/3 O/recent-developmenrs-borh-in-the-courts 17 john Schwarrz, An Effort to Upgrade a Court Archive The Center for Interner and Society (jan. 15,2013 ), -a n d -i n -congress-on-the-scope-of-rhe-co m purer-fr a u d System to Free and Easy, N. Y. TIMES, Feb. 12, 2009, hrrps:llcyberJa w .sta nford.edu/blog/201310 I lrowa rds -and-abuse-acr. http://www.nytimes.coml2009102l1 3/usll3records.hrml -learning-losing-aaron-swarrz-parr-2. (discussing the 101 Romm, supra note 98.

Los Angeles Lawyer luly/August 2013 17