2014 cybercrimes problem
TRANSCRIPT
1
SUPREME COURT OF THE UNITED STATES
ORDER GRANTING WRIT OF CERTIORARI
DENNIS CRANE,
Petitioner,
v.
UNITED STATES OF AMERICA,
Respondent.
No. 10-1010
NOTICE IS HEREBY GIVEN THAT the petition for writ of certiorari by petitioner in the above named action is granted; the questions being limited to: Issue One: Unauthorized Access Whether the use of a "scraper" program that generates URLs and automatically downloads email addresses displayed on a publicly accessible website, in violation of the website's terms of use, constitutes "unauthorized access" within the meaning of the Computer Fraud and Abuse Act (CFAA). Issue Two: Warrantless Search of a Wireless Network Whether police officers' use of a "Shadow" device to locate an unsecured wireless network and the officers' subsequent opening of a shared folder within that network constitutes a search within the meaning of the Fourth Amendment. Cert. Granted 10/14/2013
Decision Below: United States v. Crane, 912 F.3d 1130 (12th Cir. 2013)
2
UNITED STATES COURT OF APPEALS
FOR THE TWELFTH CIRCUIT
DENNIS CRANE,
Appellant,
v.
UNITED STATES,
Appellee.
Appeal from the United States District Court For the District of Ohiowa
Argued: December 15, 2012
Decided: April 8, 2013
Before RUTT, MILDEW & HADDOCK Circuit Judges.
RUTT, J.: FACTS AND PROCEDURAL HISTORY
CommCorp’s Network and Tablet Devices
CommCorp is a major telecommunications corporation. CommCorp operates a nation-
wide mobile telephone network. Through partnerships with several technology corporations,
CommCorp markets and sells a variety of cell phones, smartphones, and tablet devices that
operate exclusively on CommCorp’s network. Each device that operates on CommCorp’s
network has an individualized identification code consisting of several letters and numbers. The
identification number is included in the paperwork accompanying each device when sold and is
3
also electronically stored within each device. A user can find his or her device’s identification
number by viewing the device’s settings.
CommCorp also operates a website and encourages its customers to register on this
website so that they may access billing data, software updates, and other services. To register,
users must enter their name, address, email address, and the identification code for their device.
Users then choose a password for their account. After registering with CommCorp, users can
enter their email address and password on CommCorp’s website and access their accounts.
In 2011, CommCorp began marketing a tablet device to its users. Users can use the
device to access the internet via CommCorp’s mobile telephone network or through wireless
networks. To make account access easier for CommCorp customers, when users open
CommCorp’s website using a tablet device, their email address automatically appears on the
webpage so they can access their accounts simply by entering their passwords.
CommCorp achieves this result by directing tablet users to specific web addresses
(known as Uniform Resource Locators, or “URLs”) that correspond to their tablet’s
identification number when users access the website from their tablets. At each of these URLs,
the user’s email address is already entered into the page. To illustrate: CommCorp’s default
login page has the URL, “http://www.commcorp.com/login.” When a preregistered tablet user
accesses CommCorp’s website from his or her tablet, however, the user is automatically directed
to a URL, for example:
“http://www.commcorp.com/login/user/openpage?ICCID=XXXXXXXXXXXXXXXXX
XXX,”
where the string of X’s represents the user’s 20-digit tablet identification number. Under this
URL, a tablet user1 will see CommCorp’s login page with his or her email address already
entered into the page.
CommCorp’s website terms of service prohibit website users from accessing web pages
associated with devices they do not own. The terms of service specifically state that website
users may not use their browsers2 to enter device identification numbers that correspond to
1 A computer user who attempts to access this URL will not be able to access an account login page for a tablet because the “user agent” string of a computer communicates to the website that the person attempting to access the page is a computer user and not a tablet user. A “user agent” string communicates with servers and identifies the operating system that is running a user’s web browser. 2 Web “browsers” are software applications that typically include “address bars” into which users may enter URLs for purposes of accessing the webpages associated with those URLs.
4
devices that the users do not own. The terms of service also prohibit users from copying email
addresses from CommCorp’s login pages. These terms of service can be located by scrolling to
the bottom of any page on CommCorp’s website, including the login page, and clicking on a
“Terms of Service” link, which takes users to another webpage with a secondary list of various
terms of service document links for users, businesses, and CommCorp employees. CommCorp’s
terms of service are detailed, and each list of terms amounts to approximately ten pages of text if
printed.
The Defendant’s Use of a Scraper Program on Company’s Website
Defendant’s roommate, Mortimer Burns, purchased a CommCorp Tablet. Burns went to
CommCorp’s website to register his tablet with his CommCorp account that he had previously
established when he bought a CommCorp Smartphone. After registering his tablet, Burns found
that if he accessed CommCorp’s website using the tablet, his email address would automatically
appear – requiring him to only enter his password in order to access his account.
Burns told Defendant that CommCorp’s website automatically generated his email
address. Defendant thought that this could be a potential security breach for CommCorp and
decided to investigate further. When Defendant used his computer to enter the URL associated
with Burns’ login page, Defendant found that he could not access Burns’ login page. Figuring
that this had something to do with the “user agent” string, Defendant modified his computer’s
user agent so that his web browser would identify his computer as a tablet device when accessing
the Internet.
After modifying this computer in this manner, Defendant discovered that he could access
a login page with Burns’ email address already entered on the page by replicating the URL
associated with Burns’ login page. Defendant noticed that a portion of the URL was identical to
Burns’ tablet identification number and suspected that changing this portion of the URL could
allow him to access other web pages with other users’ email addresses.
Accordingly, Defendant developed a “scraper” program. This program, when activated,
would repeatedly enter randomized CommCorp login URLs. The vast majority of these entries
would not contain valid tablet identification numbers and would therefore fail to link to any valid
webpages. When the entered URL would return a page with a user’s email address, the program
5
would copy the pre-entered email address and paste it into a spreadsheet. Defendant activated
the scraper program and let it run for several days. When Defendant deactivated the program, he
had collected over 150,000 email addresses. Among these email addresses were several
addresses belonging to military personnel, government officials, and business executives.
Defendant and Burns contacted several news websites, telling them about their discovery
and use of the scraper program. When notifying these websites of what he had done, Defendant
remarked that CommCorp users were vulnerable to the “theft” of their personal contact
information. Defendant further explained that he had exploited that vulnerability and “stolen”
that information.
A popular technology blog, TechBlog, ended up reporting how CommCorp stored users’
email addresses and that these addresses could be accessed by simply entering a URL with a
device identification number. TechBlog identified Defendant and Burns as the individuals who
had called attention to the situation and reported that a scraper program had been developed that
had downloaded the email addresses of thousands tablet users. TechBlog also displayed several
redacted addresses of high profile tablet users that Defendant had downloaded. TechBlog did
not report that Defendant had developed the scraper program and downloaded those email
addresses.
The Police Officers’ Accessing of Defendant’s Wireless Network and Shared Folder
TechBlog’s story led to an avalanche of negative publicity for CommCorp, with major
newspapers labelling the scraper program as a major security breach. CommCorp contacted the
Federal Bureau of Investigation (FBI) whose agents set out to determine who had developed the
scraper program and downloaded the emails. Because TechBlog had mentioned Defendant and
Burns, the FBI began to investigate them. Two agents, Boot and Block, drove to Defendant’s
neighborhood and parked their vehicle at the side of the street, approximately 200 yards from
Defendant’s house. Agent Boot had a Shadow, a handheld device that detects the presence of
wireless networks.
The Shadow is manufactured and sold to law enforcement by Dwayne Enterprises, a
company that specializes in manufacturing police and military equipment. The Shadow is a
standard piece of equipment in every police vehicle. It is not available for purchase by members
6
of the general public. The Shadow runs a scan for wireless networks within a 500 yard radius
and displays the names and security status of each network that it detects. Moreover, the
Shadow calculates the estimated distance of each wireless network’s router by comparing the
signal strength of each network signal with the type of signal detected.
Agent Boot activated the Shadow and discovered a wireless network that was named
after Defendant. Upon locating this network, Agent Block activated the laptop computer that the
officers had in their car, which also detected the Defendant network. Agent Block noted that
Defendant’s network was not password-protected, meaning that anybody with a laptop computer
could access the network. Once Agent Block logged into this network, he discovered that he had
access to a folder that was shared over that network. Agent Block accessed this folder and found
evidence that identified the folder as belonging to Defendant. Agent Block also uncovered the
spreadsheet with all of the email addresses that Defendant’s scraper program had downloaded.
Once Agents Boot and Block viewed the spreadsheet, they obtained a warrant to search
Defendant’s home to retrieve files, computers, and other electronic storage devices that were
associated with Defendant’s access of CommCorp’s website. When they received the warrant,
Agents Boot and Block entered Defendant’s home. They arrested Defendant, and seized a
number of computers as well as physical documents.
In an evidentiary hearing, Agent Boot testified that the Shadow’s ability to detect
wireless networks, their names, and security statuses were functions that could be carried out by
a laptop computer or Smartphone. Agent Boot testified that he was not aware of any
Smartphone or laptop that could estimate the range of the router for each wireless network.
Defendant was charged with violating the Computer Fraud and Abuse Act (CFAA). 18
U.S.C. §1030. The government argued that Defendant had accessed CommCorp’s webpages
without authorization when he used the scraper program to enter and access the various URLs
associated with tablets. The government further argued that defendant gained additional
unauthorized access when he copied the email addresses using the scraper program. At trial, the
government introduced the spreadsheet they had recovered from the shared network as well as
several other files they had recovered from Defendant’s computer. The trial court denied
Defendant’s Fourth Amendment motion to suppress the evidence and admitted the spreadsheet
and other files.
7
Defendant was convicted and sentenced to a prison term of ten years. He appeals,
arguing that the trial court’s interpretation of the CFAA was erroneous and that his actions had
not constituted unauthorized access. Moreover, Defendant contends that the FBI agents violated
his Fourth Amendment rights when they accessed his wireless network and shared folder.
DISCUSSION
Defendant Violated the CFAA
Defendant argues that his actions did not constitute “unauthorized access” under the
meaning of the CFAA. Defendant claims that the trial court’s determination that his conduct was
unauthorized is erroneous and that the court’s decision should be reversed.
The CFAA is codified at 18 U.S.C. §1030. Defendant was convicted under 18 U.S.C.
§1030(a)(2)(C). Under this provision, anybody who “intentionally accesses a computer without
authorization or exceeds authorized access and thereby obtains . . . information from any
protected computer” shall be punished in accordance with subdivision (c) of the CFAA. 18
U.S.C. §1030(a). The trial court ruled that CommCorp’s website is a “computer” within the
meaning of the CFAA because it fits the definition of a “data storage facility” that is used in
conjunction with computers. 18 U.S.C. §1030(e)(1). Moreover, CommCorp’s website is a
“protected computer” within the meaning of the CFAA because it is used in interstate commerce.
18 U.S.C. §1030(e)(2)(B). Defendant does not challenge this on appeal.
Defendant challenges the trial court’s conclusion that he accessed CommCorp’s website
“without authorization.” Defendant argues that all the scraper program did was enter URLs that
any member of the public could type into a web browser. Defendant argues further that any
member of the public, upon entering a URL, could copy the email that would appear on the
website. Because the scraper program merely duplicated activities that any member of the public
could undertake, the program did not access the website without authorization. The trial court
disagreed with Defendant’s interpretation of the CFAA and held that Defendant’s access of
CommCorp’s website was unauthorized because Defendant’s access deviated from the intended
use of CommCorp’s website and because Defendant violated the website’s terms of service.
8
We begin our inquiry into whether Defendant’s access was unauthorized by looking to
the text of the CFAA. The CFAA does not explicitly define what how an individual may access
a website “without authorization.” The CFAA does define how defendants may exceed
authorized access under 18 U.S.C. §1030(e)(6):
[T]he term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.
This portion of the CFAA does not define what unauthorized access entails, nor does it
specifically describe the point where authorized access crosses the line and exceeds authorization
in violation of the statute. In the absence of explicit definitions, we must look to the common,
contemporary meaning of the terms in the statute. Authorization is defined as “permission or
power granted by an authority.” LVRC Holdings, LLC. v. Brekka, 581 F.3d 1127, 1133 (9th Cir.
2009) (citing Random House Unabridged Dictionary, 139 (2001)) (internal quotations omitted).
Defendant’s use of the scraper program to access web pages associated with different
CommCorp customers and Defendant’s copying of customer email addresses from these pages
was unauthorized access under the CFAA. Defendant’s scraper program gained unauthorized
access because it deviated from the intended use of CommCorp’s website. United States v.
Phillips, 477 F.3d 215, 218-20 (5th Cir. 2007); see also United States v. Morris, 928 F.2d 504,
506, 510 (2d Cir. 1991) (defendant’s use of an early version of email to send a computer virus
constituted unauthorized access within the meaning of the CFAA because defendant’s use of
email deviated from the intended function of the feature).
CommCorp’s website was designed to make it easier for CommCorp tablet users to
access their CommCorp accounts. The website was designed so that tablet users would
automatically be directed to a web page with their email address entered. The only other way to
access these personalized pages would be to type out the website’s URLs—a tedious bit of
guesswork that would require users to type in URLs and hope that they would happen across a
URL contained an appropriate, 20-digit number that matched a CommCorp tablet. Defendant’s
tactic of using the scraper program was similar to that of the defendant in Phillips, who
developed a program that—by repeatedly entering nine-digit numbers intended to replicate social
security numbers—would gain access to websites. Phillips, supra, 477 F.3d at 218. Like the
9
Phillips defendant’s program, here, Defendant’s program used a similar “brute force” technique
of repeatedly guessing the URLs for CommCorp’s users’ web pages until the program happened
to enter a URL that matched an existing page. See id. (describing how a “brute force” attack on
a web page works). Because Defendant accessed CommCorp’s website in a manner that
CommCorp did not intend, his access was unauthorized.
Furthermore, Defendant’s access was far afield from what CommCorp intended because
Defendant had to actively deceive CommCorp’s website by changing his user agent string to
identify his computer as a tablet. This deception not only deviated from the website’s intended
use, but used deceptive practices to circumvent the website’s barriers to access.
Our approach is consistent with existing precedent. In EF Cultural Travel BV v.
Explorica, Inc., Explorica developed a scraper program that accessed the website of the plaintiff,
EF Cultural Travel (EF), a competing travel agency. 274 F.3d 577, 579 (1st Cir. 2001). The
program entered URLs for EF’s webpages, tailoring the URLs it searched to match codes
provided by former EF employees. Id. These codes also appeared to users in publicly visible
URLs as users accessed EF’s website and Explorica’s scraper program simply duplicated these
URLs and downloaded information from the webpages that were generated. Id. at 579, 582-83.
The First Circuit held that the trial court was not mistaken to find that Explorica’s scraper
program was unauthorized access under the meaning of the CFAA. Id. at 584-85.
Here, like the defendant in Explorica, Defendant’s scraper program accessed URLs and
copied information from CommCorp’s webpages. Like the URLs in Explorica, the URLs
Defendant accessed were also publicly accessible. Defendant developed a scraper program to
access CommCorp’s website in a manner similar to the program used by the Explorica
defendant, using the program’s ability to quickly enter URLs so that Defendant could eventually
find those pages that corresponded to tablet users. Accordingly, Defendant’s access to
CommCorp’s website was unauthorized.
The Dissent contends that CommCorp implicitly authorized access to people like
Defendant because any computer user could enter URLs, view, and copy the email addresses on
CommCorp’s website. This framing of the issue underemphasizes the lengths through which
Defendant needed to go to enter the proper URLs. Defendant relied upon a program that
repeatedly entered URLs—many of which were invalid—until, through the brute force of
repeated attempts, he happened to come up with one including a series of numbers and letters
10
that matched a CommCorp tablet. This is analogous to repeated attempts to enter a password on
a restricted webpage—also something that any member of the public can do, and that even critics
of our approach would agree is unauthorized. See Orin S. Kerr, Cybercrime’s Scope:
Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. REV.
1596, 1644-45 (2003) (describing a code-based definition of “authorized access” where users
access computers without authorization by circumventing passwords); see also Morris, supra,
928 F.2d at 510 (holding that the “password guessing” feature of a computer worm constitutes
access without authorization).
Even if we chose not to find that Defendant gained unauthorized access by deviating
from the intended use of CommCorp’s website, the website’s terms of service provide us with an
independent avenue of affirming the trial court’s judgment. Because the Defendant’s scraper
program violated the terms of service for CommCorp’s website, Defendant’s use of the program
was unauthorized access under the CFAA. See America Online, Inc. v. LCGM, Inc., 46 F. Supp.
2d 444, 450 (E.D. Va. 1998); see also United States v. Rodriguez, 628 F.3d 1258, 1260, 1263
(10th Cir. 2010) (Social Security Administration employee gained unauthorized access to
database by violating Administration policy against accessing the database for non-business
reasons); America Online v. National Health Care Discount, Inc., 174 F. Supp. 2d 890, 899
(N.D. Iowa, 2001) (defendant’s access was unauthorized because defendant violated terms of
service). This pattern is also consistent with decisions in the context of employee access to
employer computers. See e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (Social
Security Administration employee’s access of office records for personal reasons was
unauthorized under the CFAA because it was contrary to Administration policy).
In its terms of service, CommCorp clearly prohibited Defendant’s activity. The CFAA
does not define “authorization,” and in the absence of a statutory definition, we look to the
factual circumstances of this case to determine if CommCorp limited the ability of any of its
users to access its website. CommCorp’s terms of service fill the gap that the CFAA leads open.
The terms of service systematically describe what users on the website cannot do and clearly
restrict CommCorp users from viewing and copying information from pages that are not
associated with their own tablets. While users need to take some active measures to view the
terms of service, every page on CommCorp’s website includes a clear link to these terms,
11
rendering implausible the claim that users cannot be reasonably expected to know the terms of
service.
In the absence of a statutory definition of unauthorized access, website terms of service
may be the next best place to look for meaning. Each site provides its own terms of service and
these terms are tailored to meet the needs of any individual or company with an online presence.
The terms of service are generally accessible to every user of each webpage who clicks on the
link to the terms. Terms of service provide a means to clearly define whether users’ access is
unauthorized under the meaning of the CFAA.
We believe that our interpretation of the CFAA effectively protects website owners and
users. As the facts of this case reveal, an increasing quantity of personal information is stored in
online repositories and technology-savvy individuals are always developing novel, intricate
methods to access this information. Defining “authorization” by referencing the expectations of
those who run websites is the most effective way to ensure that malicious hackers are held
responsible even if their methods are new and creative.
The FBI Did Not Violate the Fourth Amendment by Accessing Defendant’s Wireless Network
and Shared Folder
Defendant argues that Agents Boot and Block’s actions of accessing his wireless network
and shared folder constituted searches within the meaning of the Fourth Amendment. Because
the agents undertook these actions without a warrant, Defendant contends that his Fourth
Amendment rights were violated and that the evidence obtained from the shared folder should
have been excluded.3
The Fourth Amendment prohibits “unreasonable searches and seizures.” U.S. CONST.
amend. IV. To determine whether the conduct of the police constituted a search under the Fourth
Amendment, we look to Katz v. United States, 389 U.S. 347 (1967). In Katz, the Supreme Court
3 At trial, the Government did not argue that the content of Defendant’s shared folder would have inevitably been discovered or could have been located as a result of an independent, lawful search that would have taken place without use of the information discovered in the shared folder. The Government has therefore waived the ability to argue on appeal that even if the search was unlawful, the evidence should not be excluded. Moreover, the government did not contend that there was any imminent risk of document destruction, thereby waiving the government’s ability to argue that any probable cause justified a search in light of exigent circumstances. Contra Warden v. Hayden, 387 U.S. 294, 298-99 (1967).
12
noted that the Fourth Amendment “protects people, not places,” rejecting the traditional
approach of analyzing whether the government’s search infringes on a constitutionally protected
area. Katz v. United States, 389 U.S. 347, 350-51 (1967). This approach requires us to
determine whether the government violated the defendant’s subjective expectation of privacy
and whether society was prepared to recognize this expectation of privacy as reasonable. Id. at
361 (Harlan, J., concurring); see also Kyllo v. United States, 533 U.S. 27, 33 (2001).
We need not delve into whether Defendant subjectively expected his files to be private
when stored in the shared folder. Under the Katz approach, the government must violate both a
subjective and objective expectation of privacy in order for a search to have occurred. Katz,
supra, 389 U.S. at 350-51. We find that Defendant did not have an objectively reasonable
expectation of privacy in his wireless network, nor in the folder he shared over his wireless
network.
This question presents an issue of first impression for this court: whether individuals who
store information on a shared wireless network have a reasonable expectation of privacy in that
information. While the particular technology involved in this case is new territory for this court,
we find that existing Fourth Amendment case law is rife with analogous situations.
The United States Supreme Court has repeatedly held that observations by the police that
may be readily made by members of the public do not constitute Fourth Amendment searches.
There is no Fourth Amendment search when police officers approach a home, knock on the door,
and speak to the occupant. Kentucky v. King, 131 S. Ct. 1849, 1862 (2011). There is no Fourth
Amendment search when police officers use a helicopter to observe a fenced-in yard. California
v. Ciraolo, 476 U.S. 207, 213-14 (1986). The Court reached these holdings using a similar
justification: members of the public would have been able to make observations similar to those
made by the police. Under Katz, “[w]hat a person knowingly exposes to the public, even in his
own home or office, is not a subject of Fourth Amendment protection.” Katz, supra, 389 U.S., at
351.
Here, even if Defendant expected that folders shared over his wireless network would
remain private, this expectation of privacy was not reasonable. The wireless network emanated
from Defendant’s home. This was not a situation where the police needed to use specialized
techniques or equipment. See Florida v. Jardines, 133 S. Ct. 1409, 1416-18 (police use of drug-
sniffing dog at front door of home was a search under the Fourth Amendment); Kyllo v. United
13
States, 533 U.S. 27, 40 (police use of thermal imaging device that is “not in general public use”
was a search under the Fourth Amendment). Anybody with a laptop or Smartphone could have
determined that the network existed and accessed the shared folder over that network, meaning
that Defendant could not have held a reasonable expectation of privacy in the network or in his
folder on that network. See United States v. Borowy, 595 F.3d 1045, 1048 (9th Cir. 2010);
United States v. Sayer, 2012 WL 2180577 No. 2:11–cr–113–DBH at *2 (D. Me. 2012).
The Dissent concludes that Agent Boot’s Shadow device is not available for use by the
public because it had the unique capacity to estimate the distance of Defendant’s wireless router.
This conclusion does not affect our resolution of this case, however, because Agents Boot and
Block did not rely on this function to locate and access the incriminating evidence. While the
Shadow device itself may be unavailable to the public, the functions it carried out that were
relevant to the prosecution were actions that any member of the public in the vicinity of
Defendant’s home could have taken with a publicly available laptop or Smartphone.
Moreover, when Defendant placed documents in a folder that he effectively broadcasted
to the public using his wireless network, he assumed the risk that a third party would come
across this information and notify the authorities. The government’s monitoring of this
broadcasted information is therefore not a search because it falls under the third party doctrine.
See Smith v. Maryland, 442 U.S. 735, 743-44 (1979) (“[t]his Court consistently has held that a
person has no legitimate expectation of privacy in information he voluntarily turns over to third
parties”).
We are certainly not the first court to apply the third party doctrine in the internet context.
See, e.g., United States v. Forrester, 512 F.3d 500, 509-10 (9th Cir. 2008) (holding that to/from
addresses on email are analogous to phone numbers traced by pen register and therefore fall
under the third party doctrine). Moreover, we are not the first to find that a defendant’s
submission of information over a wireless network assumes the risk that the police will gain
access to that information. See United States v. Stanley, 2012 WL 5512987 No. 11–272 at *12
(W.D. Penn. 2012). Even if Agents Boot and Block’s actions intruded into Defendant’s home, as
the Dissent worries, Defendant’s voluntary relinquishment of his documents to members of the
public distinguishes this case from the cases the Dissent cites. See Stanley, supra, 2012 WL
5512987 at *16.
14
Defendant voluntarily relinquished the content of his folder to the public and thereby
assumed the risk that a member of the public would refer that content to law enforcement
authorities. Accordingly, the wireless network and its content falls within the third party
doctrine and Defendant could not have had a reasonable expectation of privacy in his wireless
network and the folders shared over this network.
CONCLUSION
For the foregoing reasons, we find the trial court did not err in its determination that
Defendant’s access of CommCorp’s website was unauthorized under the CFAA. Moreover, we
find that the trial court did not err in admitting evidence obtained through the use of the Shadow
device. Accordingly, the judgment of the trial court is
AFFIRMED
It is so ordered.
HADDOCK, C.J. dissenting
Because the Majority’s interpretation of the CFAA is mistaken and overbroad, and
because Agents Boot and Block carried out a search under the Fourth Amendment, I respectfully
dissent.
Defendant Did Not Violate the CFAA
The Majority contends that the trial court was correct to conclude that the Defendant’s
use of the scraper program constituted unauthorized access of CommCorp’s website under the
meaning of the CFAA. The Majority reaches this conclusion in two distinct ways. The Majority
first concludes that CommCorp did not intend for users to access and download information from
its website with a scraper program, and that this unexpected access constituted unauthorized
access. The Majority separately contends that a violation of website terms of service constitutes
15
unauthorized access. Both of these conclusions rely on a dangerously broad definition of the
CFAA that would criminalize massive amounts of common, online activity. See Pulte Homes,
Inc. v. Laborers’ Int’l. Union of North America, 648 F.3d 295, 299, 304 (6th Cir. 2011)
(defendant’s tactic of sending numerous, repeated emails to website to overload the website’s
computer capacity was not unauthorized under the CFAA because any member of the public
could send emails to the website).
The CFAA does not define when an individual accesses a protected computer “without
authorization.” Accordingly, we must determine the meaning of this terminology by looking to
the contemporary, common meaning of the words in the statute. LVRC Holdings, LLC. v.
Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009). Authorization is defined as “permission or power
granted by an authority.” Id. at 1133 (citing Random House Unabridged Dictionary, 139 (2001))
(internal quotations omitted). When the language of a criminal statute is ambiguous, the rule of
lenity requires courts to construe any ambiguity in favor of the defendant. LVRC Holdings,
supra, 581 F.3d at 1134-35.
The Majority concludes that Defendant’s scraper device went beyond the type of use
CommCorp intended. Even if this were true, the Majority’s conclusion that such unintended use
constitutes unauthorized access under the CFAA is both incorrect and dangerous.
Here, Defendant accessed a series of websites that any member of the public could have
accessed and copied information from these websites—just as any member of the public could
have. Because any member of the public could have accessed CommCorp’s website without
needing to enter a password or overcome any barrier, CommCorp implicitly authorized members
of the public to access the various websites where users’ email addresses were stored. See Pulte
Homes, supra, 648 F.3d at 304. In Pulte Homes, the Sixth Circuit held that individuals have
implied access to websites insofar as they may view content that is not password-protected and
email that website without restriction. Id. Because any member of the public could have viewed
the URLs that Defendant accessed, and because any member of the public could have copied the
email information on these websites, Defendant’s scraper program was not unauthorized access.
While Defendant’s scraper program may have operated on a scale far beyond the capacity
of any individual user, the program’s access to CommCorp’s website was only different in
degree, not kind, from any individual user’s access of that site. CommCorp’s argument that
scraper programs clearly violate the expected use of its website is unconvincing. Furthermore, as
16
a large public corporation with hundreds of thousands of customers, CommCorp should expect
its websites to be accessed thousands of times each day. Here, Defendant visited CommCorp’s
website thousands of times in a single day, a practice that, while unconventional, was no
different from the day-to-day web traffic that CommCorp should have expected.
Further, CommCorp’s subjective hopes and wishes that the public would not visit the
website do not make an unexpected visitor’s access unauthorized. See EF Cultural Travel BV v.
Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). In EF, a company used a scraper program to send
queries to a competitor’s website to collect pricing information. Id. at 63. In spite of the fact
that the court recognized that EF would “dislike the use of a scraper,” the court held that the use
of the scraper was not unauthorized access under the CFAA. Id. CommCorp doubtless hoped
that the public at large would not access its users’ login URLs – but premising criminal liability
on an owner’s hopes would severely chill everyday internet users’ willingness to explore the
worldwide web due to fear of potential litigation.
It is no help to the Majority to argue that Defendant’s actions “deceived” the website into
thinking that Defendant was using a tablet. While Defendant’s manipulation of his user agent
string sent an altered operating system signal to websites, the end result of this manipulation was
simply that websites would read Defendant’s computer as a tablet, rather than as a computer.
Anybody in the public can send this message to websites by accessing them using a tablet, and
Defendant’s alteration of his user agent string merely allowed his computer to do so as well.
The Majority finally contends that because Defendant’s use of the scraper program
violated CommCorp’s terms of service, Defendant accessed CommCorp’s website without
authorization. The Majority contends that this case is similar to situations where employees
violate company policies. See, e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010)
(finding unauthorized access when employee violated company policies).
The case before this Court does not involve the clear-cut situations the Majority
references. Here, CommCorp’s terms of service were accessible only to those users who took
the positive actions of scrolling to the bottom of the webpage and clicking on the “Terms of
Service” link. Users then needed to click on the secondary “CommCorp Website Terms of
Service” link. This link leads users to CommCorp’s terms of service for its website, a dense, ten-
page document.
17
CommCorp’s terms of service do not meaningfully protect its website. See Cvent, Inc. v.
Eventbrite, Inc., 739 F. Supp. 2d 927, 933 (E.D. Va. 2010). Unlike a signed confidentiality or
employment agreement, CommCorp’s terms of service are effectively buried out of the sight of
all but the most inquisitive users. While the Majority may be correct to conclude that website
terms of service provide a clear guide to what CommCorp authorizes its users to do, the
Majority’s decision embraces clarity at the expense of practicality. Realistically, no reasonable
user could be expected to notice CommCorp’s terms of service. Id. at 932. Moreover, because
website owners are entirely in control of their website terms of service, using these terms to
define authorized and unauthorized access can lead to absurd results. See Orin S. Kerr,
Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes,
78 N.Y.U. L. REV. 1596, 1650-51 (2003) (“a computer owner could set up a public web page,
announce that ‘no one is allowed to visit my web page,’ and then refer for prosecution anyone
who clicks on the site out of curiosity”).
Because Defendant’s scraper program merely carried out actions that any member of the
public could have taken, and because Defendant could not have been expected to notice
CommCorp’s terms of service, Defendant’s use of the scraper program did not constitute
unauthorized access under the meaning of the CFAA. Accordingly, Defendant’s conviction
should be reversed.
The FBI Violated Defendant’s Fourth Amendment Rights by Trespassing on Defendant’s Home
and by Infringing Upon His Reasonable Expectation of Privacy
The Majority’s exclusive focus on Katz all but ignores the property-based approach that
the United States Supreme Court developed during its most recent terms. See Florida v.
Jardines, 133 S. Ct. 1409 (2013); United States v. Jones, 132 S. Ct. 945 (2012). In these cases,
the Supreme Court emphasized that intrusion onto an individual’s property can constitute a
search under the Fourth Amendment, whether or not the intrusion violates a reasonable
expectation of privacy.
Contrary to the Majority’s assertion, Katz did not “reject” an approach to Fourth
Amendment analysis based in property law. See Jones, supra, 132 S. Ct. at 950-951. Rather,
“the Katz reasonable-expectation-of-privacy test has been added to, not substituted for, the
18
common-law trespassory test.” Id. at 952 (emphasis in original). If police, while obtaining
information about an individual, act in a manner that intrudes upon the home or that would
constitute common-law trespass, that action is a search under the Fourth Amendment. Jardines,
supra, 133 S. Ct. at 1415-16; Jones, supra, 132 S. Ct. at 949-51.
With this framework in mind, the Fourth Amendment implications of Agents Boot and
Block’s actions are clear. Agent Boot’s initial use of the Shadow device was a search within the
meaning of the Fourth Amendment because this device revealed information about a device
inside of Defendant’s home. This intrusion constitutes trespass to chattels, and is therefore a
search under the Fourth Amendment. See id. (trespass to chattels is a search under the Fourth
Amendment); Register.com, Inc. v. Verio, Inc., 126 F. Supp.2d 238, 249-50 (S.D.N.Y. 2000)
(use of search robot to access an online database was sufficient to show likelihood of success in
trespass to chattels claim); see also Ned Snow, Accessing the Internet Through the Neighbor’s
Wireless Internet Connection: Physical Trespass in Virtual Reality, 84 NEB. L. REV. 1226 (2006)
(arguing that access of wireless router constitutes trespass to chattels). Moreover, even if the
Majority is convinced that the specifics of common law trespass could not have foreseen the
development of wireless networks and the Shadow, the use of this device and the information it
reveals about the interior of the home is intrusion that rises to the level of a Fourth Amendment
search. See Jardines, supra, 133 S. Ct. at 1415-16.
Agent Block’s further action of opening the shared folder revealed even more
information than the initial search by the Shadow. Agent Block not only accessed the wireless
network, but also manipulated information within this network, which further intruded into
Defendant’s home and constituted an additional search. See id.; see also United States v. Ahrndt,
2013 WL 179326 No. 3:08–CR–00468–KI at *6-8 (D. Or. 2013) (police officer’s directing
private citizen to open a file shared over an unsecured wireless network constituted a search
under the Fourth Amendment).
The agents’ actions constituted searches within the meaning of the Fourth Amendment.
Because these searches occurred without a warrant, they were unreasonable and the evidence that
Agents Boot and Block retrieved from Defendant’s wireless network should have been excluded.
This holding is warranted even if one concedes that Majority’s singular focus on Katz is
the proper approach to this case. Agents Boot and Block’s actions used sensitive equipment that
revealed information that Defendant had not sought to share with the public, and this infringed
19
on his reasonable expectation of privacy. See Jardines, supra, 133 S. Ct. at 1418-19 (Kagan, J.
concurring). In addressing infrared scanning technology in Kyllo v. United States, the Supreme
Court held that:
Where, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a ‘search’ and is presumptively unreasonable without a warrant.
533 U.S. 27, 40 (2001).
Here, Agent Boot employed technology that was not in common use. The Shadow is not
sold to members of the general public. Moreover, Agent Boot testified that the Shadow reveals
not only the name and security status of wireless networks, but also calculates the distance of
routers – a function that publicly available devices do not perform. Accordingly, the Shadow fits
directly into the category of devices that the Supreme Court described in Kyllo, and Agent Boot’s
use of the Shadow constituted a search. See id.
In light of Jardines, Jones, and Kyllo, the Majority’s final hope to salvage its ruling is its
attempt to label Defendant’s shared folder as falling within the third party doctrine. Its attempt
to do so stretches the doctrine beyond recognition. Unlike the defendants in Smith, Forrester,
and Stanley, here, Defendant did not submit any information to a third party. Defendant’s
wireless router was in his home and Defendant was not using another party’s router, nor was he
transferring any information to a website or phone service.
The majority repeatedly employs the word “share,” in an apparent attempt to analogize
this case with third party doctrine case law. Here there was no “sharing” in the common sense of
the word – defendant simply had a network that was not password protected, and had a folder
that could be accessed using this network. There is no evidence of intent to transfer this
information to any other party. Accordingly, this case does not fall within the third party
doctrine, and Defendant’s expectation of privacy in his wireless network and folders on this
network was reasonable.
For these reasons, Agents Boot and Block’s actions were unreasonable searches under the
Fourth Amendment and the spreadsheet and other files that these searches revealed should have
been excluded by the trial court. Accordingly, Defendant’s conviction should be reversed.
20
Table of Authorities (Issue 1) Statutes 18 U.S.C. §1030 Cases EF Cultural Travel v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) United States v. Phillips, 477 F.3d 215 (5th Cir. 2007) United States v. Morris, 928 F.2d 504 (2d Cir. 1991) Cvent v. Eventbrite, 739 F.Supp. 2d 927 (E.D. Va. 2010) America Online v. National Health Care Discount, 174 F. Supp. 2d 890 (N.D. Iowa 2001) Davies v. Afilias Ltd., 293 F. Supp. 2d 1265 (M.D. Fla. 2003) America Online v. LCGM, 46 F. Supp.2d 444 (E.D. Va. 1998) United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) LVRC Holdings v. Brekka, 581 F.2d 1127 (9th Cir. 2009) Pulte Homes v. Laborers' International Union of North America, 648 F.3d 295 (6th Cir. 2011) Clarity Services v. Barney, 698 F. Supp. 2d 1309 (M.D. Fla. 2010) International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006) United States v. Mitra, 405 F.3d 492 (7th Cir. 2005) EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003) Other Sources Orin Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596 (2003) Password, MERRIAM WEBSTER, http://www.merriam-webster.com/dictionary/password.
21
Table of Authorities (Issue 2)
Constitutions
U.S. CONST. amend. IV
Cases
United States v. Jones, 132 S. Ct. 945 (2012) Florida v. Jardines, 133 S. Ct. 1409 (2013) Katz v. United States, 389 U.S. 347 (1967) Kyllo v. United States, 533 U.S. 27 (2001) Kentucky v. King, 131 S. Ct. 1849 (2011) California v. Ciraolo, 476 U.S. 207 (1986) United States v. Knotts, 460 U.S. 276 (1983) United States v. Karo, 468 U.S. 705 (1984) Smith v. Maryland, 442 U.S. 735 (1979) United States v. Borowy, 595 F.3d 1045 (9th Cir. 2010) United States v. Forrester, 512 F.3d 500 (9th Cir. 2008) United States v. Broadhurst, 2012 WL 5985615 No. 3:11–cr–00121–MO–1 (D. Or. 2012) United States v. Stanley, 2012 WL 5512987 No. 11–272 (W.D. Penn. 2012) United States v. Ahrndt, 2013 WL 179326 No. 3:08–CR–00468–KI. (D. Or. 2013) United States v. Sayer, 2012 WL 2180577 No. 2:11–cr–113–DBH. (D. Me. 2012) Intel Corp. v. Hamidi, 71 P.3d 296 (Cal. 1996) America Online, Inc. v. National Health Care Discount, Inc., 121 F. Supp.2d 1255 (N.D. Iowa 2000). Register.com, Inc. v. Verio, Inc., 126 F. Supp.2d 238 (S.D.N.Y. 2000). eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000)
Articles
Orin S. Kerr, The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution, 102 MICH. L. REV. 801 (2004)
Ned Snow, Accessing the Internet Through the Neighbor’s Wireless Internet Connection: Physical Trespass in Virtual Reality, 84 NEB. L. REV. 1226 (2006)