The CFAA reaches the Supreme Court, sort of


Next week, the Supreme Court will hear its first case involving the controversial federal computer crime law, the Computer Fraud and Abuse Act (CFAA), found at 18 U.S.C. 1030. The case, Musacchio v. United States, has relatively little do with the CFAA. But it does end up touching on one of the most mystifying and confusing questions raised by the CFAA: The difference between "access without authorization" and "exceed[ing] authorized access." The briefs don't get into the CFAA much, for reasons that I'll explain, but how to interpret the CFAA might end up being relevant to the Supreme Court's decision.

First, some background. The Musacchio case presents two discrete issues of federal criminal law. As explained by the petitioner's brief, they are:

1. Whether the law-of-the-case doctrine requires the sufficiency of the evidence in a criminal case to be measured against the elements described in the jury instructions where those instructions, without objection, require the government to prove additional or more stringent elements than do the statute and indictment?

2. Whether a statute-of-limitations bar not raised at or before trial is reviewable on appeal?

The first issue is the one that implicates the CFAA, so let me try to translate that issue into English. As regular readers know, the broadest section of the CFAA, 18 U.S.C. 1030(a)(2)(C), prohibits both accessing a computer without authorization and exceeding authorized access to a computer. When the jury instructions were written in this case, however, apparently no one noticed that the jury was wrongly instructed on the elements on one of the counts. Instead of requiring the jury to prove that Musacchio either accessed computers without authorization or exceeded authorized access, the jury was told that they needed proof Musacchio both accessed computers without authorization and exceeded authorized access.

On appeal, Musacchio wants to argue that the evidence was insufficient at trial. The first question presented boils down to Musacchio's burden to succeed on that claim. To prevail, does Musacchio have to show that the jury could not have found that he either accessed the computer without authorization or exceeded authorized access, as the statute requires? Alternatively, does he have to show that the jury could not have found that he both accessed the computer without authorization and exceeded authorized access, as the jury instructions required? The answer depends both on what the general rule for this kind of review should be—does the sufficiency challenge follow the statute or the jury charge—and whether, if the latter, there is an exception for particularly obvious errors in the jury charge.

I don't have a view of that issue generally, but I do have a thought with respect to its potential application. If the Court concludes that the general rule is that the jury charge governs, but that there is an exception for plain errors, the result of applying that plain error test might depend on whether plain error is judged based on the law in the abstract or the law as applied to the facts.

The error in the jury instruction was plain in the sense that it was a clear legal mistake in the abstract. The statute requires "or," not "and." (Weirdly, the case would be indicted as "and" rather than "or," but that's only because of The Strange Practice of Indicting in the Conjunctive. The case still should have been given to the jury as "or.") On the other hand, the error wasn't so plain as applied to the facts, as it's not at all clear that there is a difference between access without authorization and exceeds authorized access, or that any difference might be relevant to the case.

A little background. The facts of Musacchio are pretty classic for CFAA cases. Until 2004, the defendant was in charge of a business called ETS. Soon after leaving, the defendant persuaded the head of ETS's IT department to go into the ETS network and send him valuable business information. In most cases, the IT head would do this by accessing the e-mail accounts of key employees at ETS. In October 2005, the defendant started a competitor business, TTS, and a month later the head of IT from ETS joined the defendant at TTS. While at ETS, the IT head had installed a backdoor that allowed him to access the ETS network after leaving with a special password. Both the defendant and the IT head used the backdoor account to access ETS documents.

The defendant was charged with three counts. The first count was conspiracy to violate the CFAA; the second count was unauthorized access to the e-mail account of ETS's president and legal counsel in November 2005; and the third count alleged unauthorized access to the e-mail of the company's counsel in January 2006. The jury convicted on all three counts.

The error in the jury instruction was pretty technical. The court explained the elements of 18 U.S.C. 1030(a)(2) three times: First, briefly when describing the conspiracy count; and then after that, in slightly more detail when describing the other counts. (Read the relevant parts of the charge here at pages 168 to 173.) The court described the elements of 1030(a)(2)(C) correctly the second and third time. But when the judge described the elements of the conspiracy count, here's what the court told the jury:

Count 1 of the indictment charges the defendant with conspiring to violate Title 18 U.S.C. § 1030(a)(2)(C), unauthorized access to protected computer(s), in violation of 18 U.S.C. § 371. Title 18 U.S.C., § 371, makes it a crime for anyone to conspire with someone else to commit an offense against the laws of the United States. Title 18 U.S.C. § 1030(a)(2)(C) makes it a crime for a person to intentionally access a protected computer without authorization and exceed authorized access, and thereby obtain information, and (1) the offense was committed for purposes of commercial advantages or (2) private financial gain, or (3) the value of the information exceeded $5,000.

The error is subtle. Although the judge described the elements of § 1030(a)(2)(C) correctly for counts 2 and 3, the judge should have said that "Title 18 U.S.C. § 1030(a)(2)(C) makes it a crime for a person to intentionally access a protected computer without authorization or exceed authorized access," not "and exceed authorized access." The jury instruction did not include any definition of "access without authorization" or "exceeds authorized access," even though the latter is a statutorily defined term.

I wrote earlier that if the Court adopts some kind of "plain error" test, then how to apply it depends on what counts as plain error. Here's my thinking. On one hand, the error is plain in that the "and" clearly should be "or." On the other hand, in context, it's relatively easy to see why no one caught this error, and it's hard to imagine the jury being confused by it—at least any more than the appellate courts are.

First, as a preliminary matter, there is no consensus among courts or scholars on what the difference is supposed to be between "access without authorization" and "exceeding authorized access." I could list a lot of theories about what the difference should be, including the view that there is no difference at all between them. But there's no clear understanding about what the difference is. Prosecutors are often confused about the issue, too, as it's not uncommon for them to just overlook the distinction. In the Auernheimer case, for example, both at trial and on appeal, the prosecutors just referred generically to "unauthorized access." They didn't even try to distinguish the two.

Granted, in some circuits there are different lines of thinking, some in dicta, as to the difference between "access without authorization" and "exceeds authorized access." But I've always understood these decisions to focus on what "exceeds authorized access" does beyond "access without authorization," not what it covers that "access without authorization" does not itself cover. It's clearly possible to exceed authorized access but not access without authorization, see 18 U.S.C. 1030(a)(5)(B) (prohibiting the latter but not the former); United States v. Morris (2d. Cir. 1991), but it's not obvious that a person can access a computer without authorization but not also exceed authorized access.

The hard part is that "access" isn't a clear line, which often makes it easy to recharacterize an "access without authorization" as an act of "exceeding authorized access." For the details, see here at 1619-21 and 1646-48. In light of that problem, Musacchio's argument that he accessed without authorization but didn't exceed authorized access strikes me as a somewhat novel kind of claim.

For the most part, that probably doesn't matter at this stage. As the case comes to the Supreme Court, it comes mostly as an abstract matter of law outside the CFAA. But I wonder if it might matter if the Court adopts a plain error test, depending on what kind of plain error test the Court adopts. If the test for when error is plain depends on the obviousness of the error in the abstract, then the error was pretty plain. But if it depends on the significance of the error in the context of the case, either for the plainness of the error, or whether the error was a miscarriage of justice, then the uncertainty over what "exceeds authorized access" means that is different from "access without authorization" suggests to me that a plain error test couldn't be satisfied. Or perhaps more to the point, if the Court adopts a plain error test, perhaps it's best for the Court to remand and let the circuit actually apply the test rather than have the Court do so.