United States v. John (2010)

In United States v. John, 597 F.3d 263 (2010) [1] United States Court of Appeals for the Fifth Circuit interpreted the term "exceeds authorized access" in the Computer Fraud and Abuse Act 18 U.S.C. §1030(e)(6) [2] and concluded that access to a computer may be exceeded if the purposes for which access has been given are exceeded.[1]

United States v. John
CourtUnited States Court of Appeals for the Fifth Circuit
Full case name United States of America v. Dimetriace Eva Lavon John
DecidedFebruary 9, 2010
Citation597 F.3d 263 (2010) [3]
Case history
Prior actionsDistrict Court for the Northern District of Texas convicted the defendant of conspiracy to commit access device fraud, fraud in connection with an access device and exceeding authorized access to the employer's computer internal system.
Court membership
Judges sittingJerry E. Smith, Priscilla Owen and Catharina Haynes
Case opinions
The Fifth Circuit affirmed appellant's convictions, but vacated her sentence and remanded for further proceedings.
Decision byPriscilla Owen
Keywords
Computer Fraud and Abuse Act

In particular, the court ruled that an employee would exceed authorized access to a protected computer if he or she used that access to obtain or steal information as part of criminal scheme.[1]

This case addresses the issue of the distinction between authorized access to information and subsequent use of information obtained through an authorized access for the purposes of CFAA.

Background

edit

Dimetriace Eva Lavon John was employed as an account manager at Citigroup for approximately three years. She was authorized to access Citigroup's internal computer system, which contained customer account information, in the course of her official duties.[1]

In September 2005, John provided Leland Riley, her half-brother, with customer account information pertaining to at least seventy-six corporate customer accounts of Citigroup customers. She collected the information from the internal computer system of Citigroup and provided it to Riley in the form of either scanned images of checks written by the account holders or printouts of computer screens, which contained detailed account information.[1]

Riley and his co-conspirators used customer account information provided by John to incur fraudulent charges on four different customer accounts. The total amount of actually incurred fraudulent charges was $78,750.[1]

John was found guilty by the United States District Court for the Northern District of Texas of:

  • conspiracy to commit access device fraud in violation of 18 U.S.C. § 371;
  • fraud in connection with an access device and aiding and abetting in violation of 18 U.S.C. §§ 1029 (a)(5) and (2);
  • exceeding authorized access to a protected computer in violation of 18 U.S.C. §§ 1030(a)(2)(A) and (C).[1]

John appealed the indictment to the Fifth Circuit. She argued that she was authorized to use Citigroup's internal computer system as an employee. John contended that Computer Fraud and Abuse Act does not prohibit unlawful use of material that she was allowed to access through authorized use of a computer.[1]

Fifth Circuit Opinion

edit

Exceeding authorized access to a protected computer

edit

This case centers around the issue of whether an employee who was authorized to access an employer's internal computer system for the purposes of performance of her job duties should be charged for unlawful use of the information that she was authorized to access in violation of 18 U.S.C. § 1030(e)(6).

As the Fifth Circuit analyzed the case, the crucial issue was whether "authorized access" or "authorization" may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system.[1]

§ 1030(e)(6) defines the term "exceeds authorized access" as an access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.[2]

John contended that she was authorized to use Citigroup internal computer system and that she was permitted to view and print information regarding Citibank customers' accounts in course of her official duties. She argued that CFAA prohibits only using authorized access to obtain the information that she was not entitled to obtain, but does not impose liability for the unlawful use of the information that she was authorized to access.[1]

There are two contrary interpretations of the term "exceeding authorized access" by the courts.

In determining what constitutes exceeding authorized access in LVRC Holdings v. Brekka, the Ninth Circuit concluded that a person who is authorized to use a computer does not exceed authorization simply by acting contrary to the computer owner's interest, but only by obtaining or altering information in the computer that she is not entitled to obtain or alter.[3]

LVRC Holdings LLC filed a lawsuit against its former employee, Christopher Brekka, who accessed the company computer, obtained LVRC's confidential information and emailed it to himself and his wife to further his personal interest and to compete with his employer once he left the company.[4]

The Ninth Circuit ruled that Brekka's use of LVRC's computers to email documents to his own personal computer did not exceed authorized access and violate § 1030(a)(2) or § 1030(a)(4), because Brekka was authorized to access the LVRC computers during his employment with LVRC. The Ninth Circuit stated that an employee can violate the employer-placed limits on accessing the information stored on the computer and still have authorization to access the computer. Similarly, a person who is authorized to use a computer does not exceed authorization simply by acting contrary to the computer owner's interest, but only by obtaining or altering information in the computer that she is not entitled to obtain or alter.,.[1][4]

In EF Cultural Travel BV. v. Explorica, Inc.[5] the First Circuit construed the term "exceeds authorized access" in a different way, interpreting "exceeding authorized access as exceeding the purposes for which such access was given." The court held that the former employees exceeded authorization of EF computer system in violation of § 1030(a)(4), because they breached the confidentiality agreement with the former employer and used proprietary information and know-how that they obtained while employed by EF to create a computer program allowing them to compete with the former employer.,[5]

Fifth Circuit reasoning

edit

Recognizing both the concept that the access to the computer is governed by the scope of the employment agreement and a concept that the employee is still considered to have an authorization to use a computer, even if he or she used a computer or information on it in a ways contrary to employer's limitations, the Firth Circuit agreed with the former interpretation elaborated on it.

The Fifth Circuit confirmed that access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.[1] The court further stated that an express restriction on access to a computer is in fact binding at least if the wrongdoer accesses the computer in furtherance of a criminal act.[6]

The court found that though John was authorized to view and print all of the information that she accessed, her use of Citigroup's computer system to run in fraudulent charges was not an intended use of that system.[1]

John's access to the Citigroup computer system was confined and she was aware of the Citigroup employee company's policies, establishing restrictions on the use of the Citigroup computer system.[1]

Despite being aware of these policies, prohibiting misuse of the company's computer system, John accessed account information for the customers whose accounts she did not manage, removed this highly sensitive information from the Citigroup premises, and used this information to perpetrate a fraud on Citigroup and its customers.

The Fifth Circuit concluded that John exceeded authorized access to a protected computer within the meaning of CFAA. The court's reasoning was that John knew that the purpose for which she was accessing the information in a Citigroup computer system both violated the employer's internal policies and was a part of an illegal scheme.[1]

Holding

edit

The court affirmed John's convictions, but vacated her sentence on the ground that her sentence has been imposed without accompanying district court justification and district court's consideration of the correct sentencing range. The Fifth Circuit remanded the case for further proceedings.

See also

edit
  • Computer Fraud and Abuse Act
  • LVRC Holdings v. Brekka
  • EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (2001)
  • United States v. Nosal
  • Computer Crime Law, 2d, St. Orin S. Kerr, Paul, MN : Thomson West, 2009.
  • Software and Internet Law, Mark A. Lemley, Peter S. Menell, Robert P. Merges, Pamela Samuelson, and Brian W. Carver, Edition: 4th Edition 2011, Publisher: Wolters Kluwer.
  • Orin Kerr "Should Faking a Name on Facebook Be a Felony?," Op-Ed., Wall Street Journal, Sept. 14, 2011.

References

edit
  1. ^ a b c d e f g h i j k l m n o United States v. Dimetriace Eva-Lavon John, 597 U.S. 99 (2010).
  2. ^ a b Computer Fraud and Abuse Act
  3. ^ Jennifer Granick, "Ninth Circuit Holds Disloyal Computer Use Is Not A Crime". [1]
  4. ^ a b LVRC Holdings v. Brekka, 518 F.3d 1127 (2009)
  5. ^ a b EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (2001)
  6. ^ Orin Kerr, "United States v. John and the Meaning of "Authorization" to Access a Computer". [2]