When Do You ‘Exceed’ Your Authorization to Use Computer Data?

The law is murky on what constitutes legal authorization and use of computer data

In Greek mythology, Cassandra was cursed with the ability to know the future, and with the inability to effectively warn anyone about it. Her warnings about the origins of the Trojan/Greek war went unheeded and she was treated as a mad woman. The story of Cassandra may be a warning for today.

At about 2:20 p.m. on Nov. 10, people in the Florida Department of Health started receiving messages from the emergency messaging application called ReadyOPS. Members of the messaging group “StateESF-8.Planning” received a message that warned them about the novel coronavirus, and advised them that it was “time to speak up” in light of more than 17,000 dead in Florida and that they should “speak out before it is too late.” The ReadyOPS application, which is used by the Department of Health and others, is accessible to an undisclosed number of users, all of whom apparently use the same userid and password.

The message was delivered to about 1,700 users of the ReadyOPS system before the Bureau of Preparedness and Response of the Department of Health was able to rein in the message. An examination of the log files pointed to a specific Comcast IPv6 address, which the affidavit of the investigator indicated “sent the group text” and that the investigator resolved that IP address to former Health Department employee Rebecca Jones “through the use of investigative resources.” The police then executed a search warrant on Jones’ residence, seizing her computers and phone upon a showing of probable cause to believe that Jones’ devices had evidence of a violation of Florida’s Computer Crime statute, which provides:

(2) A person commits an offense against users of computers, computer systems, computer networks, or electronic devices if he or she willfully, knowingly, and without authorization or exceeding authorization:
(a) Accesses or causes to be accessed any computer, computer system, computer network, or electronic device with knowledge that such access is unauthorized or the manner of use exceeds authorization.

The statute parallels the language in the federal computer crime statute, which makes it a crime to “access” a computer “without authorization” or in excess of authorization. But what do these terms really mean? When is a user using a computer “in excess” of authorization?

Just a week before, on Nov. 30, the U.S. Supreme Court heard oral argument in the case of Van Buren v. United States, involving a Georgia police officer who accessed the National Crime Information Computer (NCIC) database, which is restricted for use by law enforcement and related individuals “for law enforcement purposes.” Having accessed the database as a cop with a valid userid and password, Van Buren went on to use the data for non-law enforcement purposes—passing the data on to an associate for money. Obviously, Van Buren could be fired and prosecuted for corruption, mail and wire fraud, embezzlement, theft, misappropriation, “honest services” fraud and possibly false statements or false certifications, among other things. But was this an “access” to a computer in “excess” of his authorization? Did Van Buren “hack” the NCIC computer?

Courts have been struggling with determining which uses of a computer are “authorized” and which uses “exceed” authorization, and what standard to apply. The broad approach says that the “owner” or operator of the computer, network or data gets to determine not only who can access the computer or data, but for what purposes they can access and use the computer or data. The owner “authorizes” the “access.” Any access or use of the computer or data that is not specifically authorized by the owner is either “unauthorized” or exceeds the scope of authorization. As a result, we can inquire about the motive or intent of the user who uses authorized credential to access a database or network or device to which they have authorization, but does so for a purpose that is either not authorized or that is specifically prohibited.

An example: A real estate salesman accesses his company’s database with credentials to see the latest leads on people who might be interested in buying property. You know, the Glengarry leads—the premium leads. They take the Glengarry leads and use them not for the benefit of their own company but to give to a competitor or to start their own business. Did they “embezzle” information? Probably. Did they deprive their employer of their “duty of loyalty?” Sure. Did they commit “hacking?” It’s a very slippery slope. Every time a user with credentials uses a computer for a purpose for which they were not authorized or uses data they access through a computer for a purpose not authorized, they run the risk of being prosecuted for “accessing” that data “in excess of authorization.” And it need not be secret data, since it is the “access” that must exceed authorization.

This has led to what is called a “circuit split,” with different federal circuit courts finding that the broad approach to defining access is inconsistent with the intention of Congress in 1986, and with the wording of the statute, and with the general rule that we should read criminal statutes narrowly as to not imprison people who really did nothing wrong. Other circuits, including the one in which Georgia sits, have taken a broader reading of the statute. Any use of a computer that exceeds what the owner authorizes is a prosecutable crime. For most purposes, your “authorization” to use a platform, a service, a website or data comes from a “Terms of Use” or “Terms of Service” document that you never read. In one case, a florist in Missouri set up a MySpace account in the name of a fictitious teenager, thereby violating the MySpace user agreement that required her to use her real name in creating an account. She was dragged into federal court in Los Angeles and prosecuted for “exceeding her authorization” to access MySpace’s computers in LA. In other cases, scalpers who purchased tickets to sporting events and resold them in violation of an online policy were at risk of prosecution for hacking not because they bypassed any technical measures to prevent them from accessing the ticket purchasing site, but because they had improper intent when they bought the tickets online (exceeded authorized access). Some years ago, a man at a Best Buy in Reston, Virginia, was arrested for physical trespass into the store because he was using his smartphone to comparison shop prices in violation of the company’s policy. Same idea. If you violate your company’s “no personal use of computers or phones” policy—say, by checking out the score in the football game between the Washington Football team and the Pittsburgh Steelers—then you run the risk of having “exceeded” your authorization to access (use) the computer and a hefty jail term may apply.

Most recently, employees of a trucking company “accessed confidential company information from their company-issued computers and cell phones and then utilized the information in violation of company policy.” Because the federal computer crime statute contains both a civil and criminal provision, their employer sued them for the crime of computer hacking. The federal appeals court on Sept. 9 found that the actions of the employees did not violate the hacking statute—it does not apply when someone with authorization to get data uses that data for an improper or unapproved purpose, but “that in utilizing the phrase “exceeds authorized access,” the CFAA targets one who initially “gain[s] entrance to . . . a system, network, or file” with “sanction or permission,” and then “gain[s] or attain[s]” “information” that, in the words of the statute, she is “not entitled so to obtain . . . .” Mere violations of rules or policies alone do not a hacker make.

The Supreme Court is expected to rule in the Van Buren case in the next few months. This will likely be of little help to former Florida health official Jones since her “access” to the messaging platform was likely revoked upon her termination as an employee. However, a few questions remain in her case. First, of course: Why were all users of the platform using the same userid and password? Second: Could a current employee “authorize” Jones to send the message on their behalf? Third: Did the forensics link the contents of the message to Jones’s IP address or the sending of the message through the system to her address (did she just send the message to another employee who posted it, or did she actually log on and post it?) Fourth: Were Jones’ credentials (authorization to send messages) revoked on her termination? Also, there is the “necessity” defense—that the access to the system was essential to prevent greater harm (jaywalking to put out a fire). Finally, there’s this lingering question of how the police turned the IPv6 address into Jones’ home using an “investigative technique.” Comcast (Xfinity) privacy policy states that they will only reveal personal information (including subscriber name) “When required by law or to respond to legal process.” Presumably the FDLE “investigative technique” was a search warrant, grand jury subpoena, administrative subpoena or other process that required Comcast to produce Jones’ records. Clearly Comcast would not have given FDLE officers the IP information without some degree of compulsion.

Presumably, we will soon learn what underlying information FDLE has to support the search warrant and how it got it. And then we can learn whether Jones did or did not send the message to the group chat, and whether that “exceeded the scope” of her authorization. You know, like Cassandra warning about the (original) Trojan horse. And Cassandra’s warnings similarly went unheeded.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark