The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Volokh Conspiracy

Third Circuit rules narrowly on "authorization" under the CFAA


Last week, the Third Circuit decided a case interpreting the meaning of "authorization" under the Computer Fraud and Abuse Act, 18 U.S.C. 1030. In CollegeSource v. AcademyOne, the court held that the CFAA was not violated when a defendant business competitor viewed files available to the public on the plaintiff business's website and also created a trial subscription to access the plaintiff business's database. The ruling is very narrow, and it's not binding precedent. But given the scarcity of appellate precedents on the important and uncertain meaning of "authorization," it's still a decision worth noting.

First, the facts. The case involves access to the website of a business called CollegeSource (CS) by a market competitor called AcademyOne (A1). CS's website contained a database of information from over 50,000 college course catalogs and allowed paying subscribers and trial users to access the database. CS also hosted some college course catalogs on its website with the permission of the schools, a serviced it called "CataLink," and it provided the schools with direct links to where the catalogs could be found on CS's site.

All files hosted on CS's website were embedded with a "splash page" telling user that the information originated from CS. They also included a copyright page stating that the catalogs were owned and copyrighted by the schools and that CS also had a copyright in the digital catalogs, as well as prohibiting distribution and noncommercial use. Those who logged in to CS's database also had to check a box agreeing to Terms of Use that prohibited commercial use of the data.

A1 is an upstart competitor to CS that offers access to its collection of college course catalogs for free instead of for a fee. A1 approached CS about purchasing or licensing CS's database, but CS said no. A1 then went about trying to build its own database.

The precise facts are really murky at this point. However, it looks like A1 employees collected at least some catalogs from CS's website that were available from direct public links. Also, two employees of A1 created trial subscriptions to access CS's database, although there's no direct evidence of what they did with those trial subscriptions. CS found out, and A1 acknowledged, that some of the information A1 had collected was from CS's site. A1 then tried to remove the material on A1's site that had originated from CS, but was not entirely successful. CS eventually sued A1 under a range of theories, including that A1's access to CS's website was unauthorized in violation of the CFAA. The district court granted summary judgment to A1 on all claims.

In a ruling by Judge Vanaskie, who was also on the panel that reversed weev's conviction, the Third Circuit affirmed. According to the Third Circuit, accessing CS's website was "authorized" under the CFAA based on the known facts:

Common to all of CS's claims under the CFAA is the requirement of proof that the defendant accessed information "without authorization" or "exceed[ed] authorized access." A person "exceeds authorized access" when he "access[es] a computer with authorization and … use[s] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." Id. § 1030(e)(6). The root term, however - "authorization" - is not defined by the statute, and has been the subject of robust debate. One point of agreement is that "without authorization" should be given its "common usage, without any technical or ambiguous meaning." United States v. Morris, 928 F.2d 504, 511 (2d Cir.1991); see also LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132-33 (9th Cir.2009). Here, the record contains only limited evidence that A1 accessed CS's servers, and such access was not "without authorization" under any common meaning of that term.

First, A1 acknowledges that at least two of its employees created trial accounts for CollegeSource Online, using a process available to the general public. There is no evidence, however, that those employees downloaded catalogs for commercial use in violation of the Subscription Agreement, hacked into technologically sequestered portions of the database, or even so much as viewed any particular document. The record would therefore not support a jury finding that A1 violated the CFAA in this respect.

Second, A1 concedes that some course catalogs in its initial offering were obtained from links embedded on the web pages of schools that subscribe to CataLink. These materials were available without precondition to any member of the general public who clicked the link on the subscribing school's website and was thereby directed to CS's servers. Thus again, A1 obtained the materials in question without breaching any technological barrier or contractual term of use. CS provides no other evidence that A1's use of CataLink was "without authorization." Accordingly, we will affirm the District Court's order insofar as it granted summary judgment in favor of A1 on Count Three.

I read this as a very narrow holding that access "using a process available to the general public" is not a CFAA violation at least absent some kind of circumvention of a contract-based or code-based restriction. It strikes me as similar to the holding of the First Circuit in EF Cultural Travel v. Zefer. It's clearly correct, I think, although very limited. In particular, I don't see the Court as taking sides in broader debates over the scope of the CFAA, such as whether and when breaching TOS is a crime and what constitutes breach of a code-based restriction. But given the significant uncertainty about what the CFAA covers, even this very narrow holding is good to see and worth noting.