Agency, code, or contract: determining employees' authorization under the computer fraud and abuse act

Michigan Law Review

Volumn 107, Issue 5, 2009, Pages 819-852

  Field, Katherine Mesenbring ^a  

^a NONE

Author keywords

[No Author keywords available]

Indexed keywords

EID: 62749176471     PISSN: 00262234     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Review

References (250)

1. The most recent federal survey indicated that 77 million people in the United States use a computer at work. BUREAU OF LABOR STATISTICS, COMPUTER AND INTERNET USE AT WORK IN 2003, at 1 (2005), available at http://www.bls.gov/news. release/pdf/ciuaw.pdf.
2. For a discussion of the link between IT use and productivity in the workplace, see Kevin J. Stiroh, Information Technology and the U.S. Productivity Revival: What Do the Industry Data Say?, 92 AM. ECON. REV. 1559 (2002).
3. 18 U.S.C § 1030 (2006).
4. See COMPUTER CRIME & INTELLECTUAL PROP. SECTION, U.S. DEP'T OF JUSTICE, PROSECUTING COMPUTER CRIMES 2 (2007) [hereinafter PROSECUTING COMPUTER CRIMES], available at http://www.usdoj.gov/criminal/cybercrime/ccmanual.
5. 18 U.S.C § 1030(a)(2)(C), (a)(4), (g) (emphasis added).
6. See, e.g., Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006);
7. ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006);
8. Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1125 (W.D. Wash. 2000).
9. See, e.g., Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 968 (D. Ariz. 2008);
10. Diamond Power Int'l., Inc. v. Davidson, 540 F. Supp. 2d 1322, 1343 (N.D. Ga. 2007);
11. Lockheed Martin Corp. v. Speed, No. 6:05-cv-1580-Orl-31KRS, 2006 U.S. Dist. LEXIS 53108, at *15 (M.D. Fla. Aug. 1, 2006).
12. See, e.g., Modis, Inc. v. Bardelli, 531 F. Supp. 2d 314, 319 (D. Conn. 2008);
13. Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 498 (D. Md. 2005);
14. SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d 593, 608-10 (E.D. Va. 2005).
15. 18 U.S.C. § 1030(g) (allowing any person who suffers damage by a violation of the CFAA to "maintain a civil action" for "compensatory damages and injunctive relief or other equitable relief).
16. Civil suits under the CFAA have also been brought by website operators against users of electronic data gatherers, Christine D. Galbraith, Access Denied: Improper Use of the Computer Fraud and Abuse Act to Control Information on Publicly Accessible Internet Websites, 63 MD. L. REV. 320, 322-23 (2004),
17. and by internet service providers against spammers, Saul Hansell, Microsoft Sues 15 Organizations In Broad Attack On Spam E-Mail, N.Y. TIMES, June 18, 2003, at Cl.
18. See Paul S. Chan & John K. Rubiner, Access Denied: Using the Computer Fraud and Abuse Act to Restrict Employee Mobility, COMP. & INTERNET LAW., June 2006, at 12, 12-14.
19. 18 U.S.C § 1030(a)(2).
20. Compare United States v. Czubinski, 106 F.3d 1069, 1071-72 (1st Cir. 1997) (finding access unauthorized without discussing how to determine authorization), United States v. Morris, 928 F.2d 504, 510-11 (2d Cir. 1991) (finding that lack of authorization is not limited to outsiders, but not discussing alternative interpretations of authorization), and Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1123 (WD. Wash. 2000) (applying an agency-based interpretation, of authorization without noting alternatives), with Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 964-65 (D. Ariz. 2008) (noting the existence of different interpretations), Black & Decker (U.S.), Inc. v. Smith, 568 F. Supp. 2d 929, 933-34 (W.D. Tenn. 2008), interlocutory appeal granted, No. 07-1201, 2008 WL 3850825 (W.D. Tenn. Aug. 13, 2008) (same), and Lockheed Martin Corp. v. Speed, No. 6:05-cv-1580-Orl-31KRS, 2006 U.S. Dist. LEXIS 53108, at *12-14 (M.D. Fla. Aug. 1, 2006) (same).
21. See, e.g., Shurgard, 119 F. Supp. 2d at 1125.
22. WILLIAM A. GREGORY, THE LAW OF AGENCY AND PARTNERSHIP 10-11 (3d ed. 2001).
23. Id. at 13.
24. RESTATEMENT (SECOND) OF AGENCY § 112 (1958);
25. GREGORY, supra note 14, at 103.
26. Shurgard, 119 F. Supp. 2d at 1123.
27. RESTATEMENT (SECOND) OF AGENCY § 112.
28. Shurgard, 119 F. Supp. 2d at 1125.
29. Id. at 1129.
30. 440 F.3d 418 (7th Cir. 2006).
31. Id. at 419.
32. Id. at 420.
33. Id. at 420-21.
34. Id.
35. See, e.g., ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006).
36. See, e.g., Richard Warner, The Employer's New Weapon: Employee Liability Under the Computer Fraud and Abuse Act, 12EMP. RTS. &EMP. POL'Y J. 11, 12, 23 (2008).
37. See, e.g., Chan & Rubiner, supra note 10, at 16.
38. Id. at 14.
39. Shepardizing the opinion establishes that thirty-one cases have cited Citrin since the decision was issued in March 2006. Opinion last Shepardized using LexisNexis on December 5, 2008.
40. See infra Section III.B. 1.
41. Orin S. Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.YU. L. REV. 1596, 1600 (2003).
42. Id. at 1644-45.
43. Id. at 1649.
44. See, e.g., Black & Decker (U.S.), Inc. v. Smith, 568 F. Supp. 2d 929 (W.D. Tenn. 2008), interlocutory appeal granted, No. 07-1201, 2008 WL 3850825 (WD. Tenn. Aug. 13, 2008).
45. 928 F.2d 504 (2d Cir. 1991).
46. Kerr, supra note 32, at 1649.
47. Morris, 928 F.2d at 510.
48. Kerr, supra note 32, at 1632.
49. Notably, the intended function test can be somewhat broader than a code-based interpretation of authorization, as other courts have interpreted it to mean that the scope of a user's authorization derives from the expected norms of intended use or the nature of the relationship established between the computer owner and the user. United States v. Phillips, 477 F.3d 215, 219 (5th Cir. 2007). However, the operation of the intended functions test in the Morris case specifically translates into a code-based approach of authorization, because Morris used holes in programs to allow himself greater access than he would otherwise have had. Morris, 928 F.2d at 510.
50. No. 6:05-cv-1580-Orl-31KRS, 2006 U.S. Dist. LEXIS 53108, at * 16-25 (M.D. Fla. Aug. 1, 2006).
51. Id. at * 3.
52. Id. at * 12.
53. The court noted that the use of agency principles to determine that an employee was "without authorization" suggests that the term "exceeds authorized access" should not apply to situations involving a person with some level of authorization (i.e., insiders). Id. at * 18-19.
54. As such, the court concluded, the agency-based interpretation "effectively shaves 'exceeds authorized access' down to amere sliver of what its plain meaning suggests." Id. at *17.
55. Id. at * 22-23.
56. See id. at *15.
57. Id. at * 15.
58. Id. at * 15-16.
59. See, e.g., Black & Decker (U.S.), Inc. v. Smith, 568 F. Supp. 2d 929 (W.D. Tenn. 2008), interlocutory appeal granted, No. 07-1201, 2008 WL 3850825 (W.D. Tenn. Aug. 13, 2008);
60. B&B Microscopes v. Armogida, 532 F. Supp. 2d 744, 758 (W.D. Pa. 2007).
61. See, e.g., Black & Decker, 568 F. Supp. 2d at 936; Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 968 (D. Ariz. 2008);
62. Brett Senior & Assoes, v. Fitzgerald, No. 06-1412, 2007 WL 2043377, at *3 (E.D. Pa. July 13, 2007);
63. Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 494-98 (D. Md. 2005); SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d 593, 608-10 (E.D. Va. 2005).
64. See, e.g., Shamrock Foods, 535 F. Supp. 2d at 968.
65. Kerr, supra note 32, at 1637.
66. See, e.g., Am. Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444, 448 (E.D. Va. 1998) (finding that use of an AOL account to obtain, email addresses of other users constituted unauthorized access of information because it violated AOL's terms of service). Courts have varied in their acceptance of the contract-based interpretation of authorization. Some courts hesitate in using terms of service agreements to determine authorization.
67. See Am. Online, Inc. v. Nat'l Health Care Disc., Inc., 121 F. Supp. 2d 1255, 1273 (N.D. Iowa 2000). However, other courts have found unauthorized access using a contract-based interpretation even when the access was not specifically prohibited by the contract.
68. See Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 248 (S.D.N.Y. 2000).
69. See, e.g., EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001);
70. United States v. Czubinski, 106 F.3d 1069, 1071 (1st Cir. 1997);
71. Modis, Inc. v. Bardelli, 531 F. Supp. 2d 314, 319 (D. Conn. 2008);
72. Hewlett-Packard Co. v. Byd:Sign, Inc., No. 6:05-CV-456, 2007 WL 275476, at * 15 (E.D. Tex. Jan. 25, 2007).
73. EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 62 (1st Cir. 2003) (quoting 18 U.S.C. § 1030(e)(6) (2006)) (alteration, in original);
74. Explorica, 21A F.3d at 581 (quoting 18 U.S.C § 1030(e)(6) (2006)) (alteration in original).
75. Scrapers are computer programs that are able to quickly gather all the information on a website. Explorica, 274 F. 3d at 579.
76. Zefer, 318 F.3d at 62-63;
77. Explorica, 274 F.3d at 579.
78. Explorica, 274 F.3d at 583.
79. In Zefer, the court noted that the lack of authorization also implicitly extended to Zefer, the company that created the scraper, even though it was not a party to the confidentiality agreement. 318 F.3d at 63.
80. Id. at 63-64. The court noted that "[i]t is also of some use for future litigation among other litigants in this circuit to indicate that, with rare exceptions, public website providers ought to say just what non-password protected access they purport to forbid."
81. Id. at 64.
82. 106 F.3d 1069, 1071 (1st Cir. 1997).
83. Id. at 1078.
84. Kerr, supra note 32, at 1634.
85. Hewlett-Packard Co. v. Byd:Sign, Inc., No. 6:05-CV-456, 2007 WL 275476, at *12 (E.D. Tex. Jan. 25, 2007).
86. Id. at *1.
87. Id. at *13.
88. Id.
89. Id.;
90. see also Modis, Inc. v. Bardelli, 531 F. Supp. 2d 314, 319 (D. Conn. 2008) (noting that the employee's authorization was limited to access in furtherance of the employer's business based on language in an employment agreement).
91. Hewlett-Packard, 2007 WL 275476, at *13.
92. Indeed, most cases following Citrin and Speed that outline the conflict between an agency-based approach and a code-based approach fail to mention the possibility of a contractbased approach entirely, even when there exists a contract capable of being interpreted as defining authorization.
93. See, e.g., Black & Decker (U.S.), Inc. v. Smith, 568 F. Supp. 2d 929, 934-36 (W.D. Tenn. 2008), interlocutory appeal granted, No. 07-1201, 2008 WL 3850825 (W.D. Tenn. Aug. 13, 2008) (outlining the divide between courts applying an agency-based approach and those applying a code-based approach and adopting the latter without substantial consideration of the employment agreements relating to the employee's authorization).
94. 18 U.S.C § 1030(a)(4) (2006).
95. Courts opting for an agency-based interpretation use legislative history to find that the CFAA's scope has been broadened over time such that it reaches and can be invoked by employers and that the CFAA was designed to reach insiders as well as outsiders. See, e.g., Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1127-29 (W.D. Wash. 2000);
96. Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 417 (7th Cir. 2006). Courts adopting a code-based interpretation often argue that the legislative history supports a narrow view of authorization.
97. See, e.g., Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965-66 (D. Ariz. 2008).
98. William N. Eskridge, Jr., Legislative History Values, 66 CHI.-KENT L. REV. 365, 439 (1990).
99. Use of legislative history is declining generally, but many courts still employ it where the statutory text is ambiguous. CHRISTIAN E. MAMMEN, USING LEGISLATIVE HISTORY IN AMERICAN STATUTORY INTERPRETATION 26 (2002).
100. Using legislative history as evidence of specific intent, as I do here, "is, historically, the main justification for examining such materials." Eskridge, supra note 72, at 369-70.
101. Initially, the CFAA was primarily aimed at outsiders, such as hackers or other persons outside of the computer system at issue. See H.R. REP. NO. 98-894, at 10-12 (1984), reprinted in 1984 U.S.CCA.N. 3689, 3695-97. Insiders, by contrast, are those who are somehow legitimately connected to the computer system at issue. In employment-related CFAA cases, issues of insider liability acquire acute importance, because employees are generally considered insiders in light of their employer-sanctioned access.
102. H.R. REP. NO. 98-894, at 10, reprinted in 1984 U.S.CCA.N. at 3695.
103. Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 98-473, 98 Stat. 2190 (codified as amended at 18 U.S.C § 1030 (2006)) [hereinafter 1984 CFAA].
104. See S. REP. NO. 104-357, at 11 (1996);
105. H.R. REP. NO. 99-612, at 7, 10-11 (1986);
106. S. REP. NO. 99-432, at 5-7 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2483-85.
107. H.R. REP. NO. 98-894, at 21, reprinted in 1984 U.S.C.C.A.N. at 3707.
108. Joseph B. Tompkins, Jr. & Linda A. Mar, The 1984 Federal Computer Crime Statute: A Partial Answer to a Pervasive Problem, 6 COMPUTER/L.J. 459, 465 (1986).
109. H.R. REP. NO. 98-894, at 15, 22, reprinted in 1984 U.S.C.C.A.N. at 3701, 3708 ("[The 1984 Act] adds a clause excluding from these sections coverage of a person authorized to access a computer who merely exceeds such authorization by the incidental use of the computer .... in, for example, doing one's homework or playing computer games.").
110. See Tompkins & Mar, supra note 79, at 465.
111. H.R. REP. NO. 99-612, at 7.
112. Id.
113. Id.
114. Id. at 7, 10-11;
115. SEN. REP. NO. 99-432, at 5-7 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2482-85.
116. S. REP. NO. 99-432, at 6, reprinted in 1986 U.S.C.C.A.N. at 2483-84.
117. S. REP. NO. 99-432, at 8, reprinted in 1986 U.S.C.C.A.N. at 2486.
118. 1984 CFAA, supra note 76.
119. Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, 100 Stat. 1213, § 2(g)(6) (codified as amended at 18 U.S.C § 1030 (2006)) [hereinafter 1986 CFAA].
120. S. REP. NO. 99-432, at 9, reprinted in 1986 U.S.CCA.N. at 2486;
121. H.R. REP. NO. 99-612, at 11.
122. See 1984 CFAA, supra note 76, at § 2102(a).
123. See 18 U.S.C § 1030(e)(6).
124. Further amendments to the CFAA do not provide any more information about what Congress intended to determine insider authority. The most significant amendments to the CFAA after 1986 reference insider unauthorized users multiple times, but primarily to explain that provisions do reach insiders exceeding their authorized access. See S. REP. NO. 104-357, at 6, 9-11 (1996). The later committee reports on the CFAA again, make it clear that Congress wants to include insiders who are exceeding their authorized access purposefully and with an intent to harm, but these discussions fail to clarify what insider actions cause a person to exceed authorization.
125. See id. at 11;
126. S. REP. NO. 101-544, at 5 (1990).
127. See, e.g., Wis. Pub. Intervenor v. Mortier, 501 U.S. 597, 622 (1991) (Scalia, J., concurring) (objecting to "the practice of utilizing legislative history for the purpose of giving authoritative content to the meaning of a statutory text").
128. See MAMMEN, supra note 73, at 156;
129. see also Adam N. Steinman, "Less" is "More"? Textualism, Intentionalism, and a Better Solution to the Class Action Fairness Act's Appellate Deadline Riddle, 92 IOWA L. REV. 1183, 1218 (2007) ("Both, textualists and intentionalists agree that statutory language can be ambiguous, and in those situations, it is proper for judges to consult not only the statute's text but also its context, including the legislative intent underlying that statute.").
130. Kerr, supra note 32, at 1602.
131. Id. at 1602-03.
132. Id. at 1603.
133. Id.
134. Id. at 1603-04.
135. Id. at 1603-05.
136. Id. at 1605-07 (noting that trespass and burglary statutes require physical entry onto property, which one cannot do in cyberspace);
137. Joseph M. Olivenbaum, 〈CTRL〉〈ALT〉〈DEL〉: Rethinking Federal Computer Crime Legislation, 27 SETON HALL L. REV. 574, 577 (1997) (same with regard to trespass and larceny).
138. See, e.g., Lund v. Commonwealth, 232 S.E.2d 745, 748 (Va. 1977) (stating that unauthorized use of a computer is not subject to the larceny statute).
139. E.g., United States v. Girard, 601 F.2d 69, 71 (2d Cir. 1979) (concluding that the government has a property interest in information);
140. United States v. Seidlitz, 589 F.2d 152, 160 (4th Cir. 1978) (finding that the defendant's unauthorized use and accessing of computerized information was akin to being an intruder on the physical property of another).
141. As Kerr notes, even those courts willing to find that a crime had been committed by computer misuse often only punished computer misuse as theft when it resulted in significant harm. Kerr, supra note 32, at 1613.
142. Id.;
143. see also DONN B. PARKER, FIGHTING COMPUTER CRIME 244 (1983);
144. Donald G. Ingraham, On Charging Computer Crime, 2 COMPUTER/L.J. 429, 429-30 (1980).
145. Kerr, supra note 32, at 1602.
146. For example, a well-publicized event involving "pirate bulletin boards" between the time the act was first passed and the 1986 amendments sparked congressional concern over this type of computer crime, leading to the development of a provision in the Act regarding trafficking of stolen passwords. H.R. REP. NO. 99-612, at 6 (1986);
147. see also 1986 CFAA, supra note 89.
148. Significant additions to the statute also came in 1994 to address the growing use of "worms" and "viruses" by computer criminals. Violent Crime Control and Law Enforcement Act of 1994 Pub. L. No. 103-322;
149. Stat. 1796, § 290001;
150. CONG. REC. S 16,421 (1993).
151. In other words, it constitutes the purpose value of the legislative history that, once identified, can serve as the starting point for resolving statutory ambiguities. Eskridge, supra note 72, at 394.
152. Kerr, supra note 32, at 1644-45.
153. Lany Lessig, The Laws of Cyberspace, in READINGS IN CYBERETHICS 134, 136 (Richard A. Spinello & Herman T. Tavani, eds., 2d. ed. 2004).
154. Admittedly, the purist would argue that this is just redefining computer misuse to capture actions within the broader category of traditional crimes using a computer, and to some extent this may be true. However, if, as 1 argue below, there is some justification for deviation from a strict code-based approach to authorization, this form of contract-based interpretation, where liability is found only where there is a clear violation of a specific contractual definition of misused access, may be the best option for respecting the congressional expression that the CFAA targets crimes of computer misuse.
155. See William N. Eskridge, Jr., Spinning Legislative Supremacy, 78 GEO. L.J. 319, 324 (1989) ("The legislature itself might have a meta-intent that judicial interpreters exercise policymaking discretion.").
156. Notably, courts have opted for "liberal judicial interpretation" consistent with a statute's policy goals where legislative history provides little assistance as to the meaning of a disputed phrase in other modem statutes, such as the Superfund Act. E.g., United States v. Aceto Agric. Chems. Corp., 872 F.2d 1373, 1380 (8th Cir. 1989).
157. See 18 U.S.C § 1030(e) (2006).
158. 1984 CFAA, supra note 76, at § 2102(a).
159. This was despite the fact that that "[t]he whole issue of defining the word 'computer' ha[d] plagued the consideration of computer crime legislation since its early days." H.R. REP. NO. 98-894, at 23 (1984), reprinted in 1984 U.S.C.C.A.N. 3689, 3709.
160. See 18 U.S.C. § 1030(e).
161. Tompkins & Mar, supra note 79, at 464;
162. Mitch Betts, U.S. attorneys push to clarify vague '84 DP crime law, COMPUTERWORLD, July 1, 1985, at 22.
163. See Int'l Airport Ctrs., L.L.C v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006) (noting how the distinction between "without authorization" and "exceeding authorized access" is "paper thin").
164. See PROSECUTING COMPUTER CRIMES, supra note 3.
165. See 141 CONG. REC. S9422 (1995) ("The need to reevaluate our computer statutes on a continual basis is inevitable ....");
166. CONG. REC. S14,453 (1986) (recording statements of numerous senators concerning how the law is adapting and that the amendments are to "address effectively known evils of computer misuse");
167. S. REP. NO. 101-544, at 5 (1990) (discussing changes to the law to address worms and viruses);
168. H.R. REP. NO. 99-612, at 4 (1986) (stating that Congress is "clarifying the existing laws to deal with the emergence of a new type of computer abuse" through the amendments).
169. Congressional perceptions of computer criminals and the particular threats they pose appear to drive the language and provisions of the CFAA. In the early years of the statute, the focus was on "hackers," who were seen by Congress as prankster-youths who were in fact trespassers with the potential to cause serious problems. See H.R. REP. NO. 99-612, at 5;
170. H.R. REP. NO. 98-894, at 10 (1984), reprinted in 1984 U.S.CCA.N. 3689, 3695-96.
171. A federal computer-crime act was seen as needed to both provide for prosecution of these hackers as well as deter their criminal activities. H.R. REP. NO. 99-612, at 5-6. Similarly, a well-publicized event involving "pirate bulletin boards" between when, the first act was passed and the 1986 amendments sparked congressional concern over this type of computer crime, leading to the development of a provision in the Act regarding trafficking of stolen passwords.
172. Id. at 6;
173. see also 1986 CFAA, supra note 89.
174. Significant additions to the statute also came in 1994 to address the growing use of "worms" and "viruses" by computer criminals. Violent Crime Control and Law Enforcement Act of 1994 Pub. L. No. 103-322;
175. CONG. REC. S 16,421 (1993). In 2002, the statute was again amended to make sure that it captured computer crimes committed by terrorists. See generally, COMPUTER CRIME & INTELLECTUAL PROPERTY SECTION, U.S. DEP'T OF JUSTICE, FIELD GUIDANCE ON NEW AUTHORITIES THAT RELATE TO COMPUTER CRIME AND ELECTRONIC EVIDENCE ENACTED IN THE USA PATRIOT ACT OF 2001 (2001), http://www.usdoj.gov/ criminal/cybercrime/PatriotAct.htm.
176. See 18 U.S.C § 1030 (2006).
177. See, e.g., James J. Brudney, Congressional Commentary on Judicial Interpretations of Statutes: Idle Chatter or Telling Response?, 93 MICH. L. REV. 1, 66-67 (1994) (discussing the concerns raised by courts and commentators over the use of legislative inaction, in statutory interpretation).
178. See, e.g., William N. Eskridge, Jr., Interpreting Legislative Inaction, 87 MICH. L. REV. 67, 67 (1988).
179. Cf. Galbraith, supra note 9, at 368 (calling for congressional amendment to the CFAA to clarify authorization in cases involving public websites, which arguably are also "insider" cases).
180. See RICHARD A. POSNER, THE FEDERAL COURTS: CRISIS AND REFORM 290 (1985) ("Often when there are political pressures to do something about a problem but the legislature cannot agree exactly what to do about it, it will pass a statute to the effect (as well as the undisclosed purpose) of which is to dump the problem in the lap of the courts ....");
181. see also Eskridge, supra note 72, at 386.
182. Paul Diller, Intrastate Preemption, 87 B.U. L. REV. 1113, 1147 (2007) ("Legislative ambiguity is also frequently an intentional recognition of the limitations of the legislative process by the legislature itself. Legislation is necessarily forward-looking and cannot anticipate the circumstances that may arise years ahead concerning a particular application of legislation.");
183. see also WILLIAM N. ESKRIDGE, JR., DYNAMIC STATUTORY INTERPRETATION 123-28 (1994).
184. See supra notes 76-84 and accompanying text.
185. S. REP. NO. 104-357, at 9, 11 (1996).
186. Cf. Dov S. Greenbaum, Commentary, The Database Debate: In Support of an Inequitable Solution, 13 ALB. L.J. SCI. & TECH. 431, 499 (2003) (noting that congressional ambiguity regarding database legislation suggests a desire to leave much of the law open to judicial interpretation);
187. Tiffany M. Wong, Comment, Defendants' Standing to Oppose Lead Plaintiff Appointment Under the Private Securities Litigation Reform Act of 1995, 2003 U. CHI. LEGAL F. 833, 846 (noting that silence in the Private Securities Litigation Reform Act with respect to the most adequate plaintiff presumption "raises the question of whether the text was intentionally left vague to give courts discretion").
188. See Patricia L. Bellia, Defending Cyberproperty, 79 N.YU. L. REV. 2164, 2258 (2004);
189. Kerr, supra note 32, at 1651.
190. See supra Section IIB. 1.
191. Kerr, supra note 32, at 1651.
192. Bellia, supra note 133, at 2258.
193. See POSNER, supra note 128, at 289 (stating that considerations of judicial administration may be useful where there is uncertainty as to the conect statutory interpretation).
194. See supra Section II.B.2.
195. This notion that it is acceptable for the courts to branch out somewhat in their interpretation of the statute in these insider cases may even be supported under other jurisprudential theories of statutory interpretation. Although there are a wide variety of views on statutory interpretation, one clear divide exists between those that view judges as "honest agents," whose role it is to carry out the commands of the legislature by closely adhering to a statute's text and legislative history, and those that argue that courts should consider the cooperative nature of lawmaking, the importance of context, and the need for statutes to evolve over time. See ESKRIDGE, supra note 129, at 141-42;
196. Eskridge, supra note 113, at 320-21 (1989). Arguably, many of the "honest agent" variety could find that courts should adopt a different interpretation of authorization when the case involves an insider; the legislative history suggests those situations are different and perhaps require a bit more independent judgment by the honest agent.
197. See ESKRIDGE, supra note 129, at 124. Additionally, those who are more open to a dynamic, evolutionary perspective to statutory interpretation might argue that courts should have the opportunity to provide an interpretation that better responds to the different context present in the insider situation.
198. See id. at 142.
199. See Warner, supra note 27, at 12.
200. See supra Section II.B. 1.
201. Agency principles should not be used to interpret words in a statute without a careful examination of the impact of such incorporation. See Deborah A. DeMott, Statutory Ingredients in Common Law Change: Issues in the Development of Agency Doctrine, in COMMERCIAL LAW AND COMMERCIAL PRACTICE 57, 83 (Sarah Worthington ed., 2003) ("[Transplanting common-law doctrines into statutory settings requires care and close attention to statutory purpose and the operative meaning of common-law doctrines.").
202. Other commentators have noted how "strikingly broad" the agency-based theory of authorization is. E.g., Kerr, supra note 32, at 1633.
203. Deborah A. DeMott, Beyond Metaphor: An Analysis of Fiduciary Obligation, 1988 DUKE L.J. 879, 879.
204. Robert Cooter & Bradley J. Freedman, The Fiduciary Relationship: Its Economic Character and Legal Consequences, 66 N.Y.U. L. REV. 1045, 1045-46 (1991);
205. DeMott, supra note 144, at 879, 882.
206. Cf. Michael J. Phillips, Employer Sexual Harassment Liability Under Agency Principles: A Second Look at Meritor Savings Bank, FSB v. Vinson, 44 VAND. L. REV. 1229, 1255-56 (1991) (arguing against the use of agency principles in employment sexual harassment cases and stating that because of the poor fit between agency rules and sexual harassment law "courts tend to apply different rules in different settings, often in an apparently manipulative, result-oriented fashion");
207. Dawn K. McGee, Note, Potential Liability for Misrepresentations in Residential Real Estate Transactions: Let the Broker Beware, 16 FORDHAM URB. L.J. 127, 150-51 (1988) ("[C]ourts are ... imposing] broker liability for misrepresentation or nondisclosure on a result-oriented basis.").
208. See, e.g., Meinhard v. Salmon, 164 N.E. 545, 546 (N.Y. 1928) ("A trustee is held to something stricter than the morals of the market place. Not honesty alone, but the punctilio of an honor the most sensitive, is then the standard of behavior.");
209. see also Robert C Clark, Agency Costs versus Fiduciary Duties, in PRINCIPALS AND AGENTS: THE STRUCTURE OF BUSINESS 55, 75-76 (John W Pratt & Richard J. Zeckhauser eds., 1985);
210. Robert W. Tuttle, The Fiduciary's Fiduciary: Legal Ethics in Fiduciary Representation, 1994 U. ILL. L. REV. 889, 896.
211. Frank H. Easterbrook, Foreword, The Court and the Economic System, 98 HARV. L. REV. 4, 60 (1984).
212. Int'l Airport Ctrs., L.L.C v. Citrin, 440 F.3d 418, 419 (7th Cir. 2006); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1125 (W.D. Wash. 2000).
213. Citrin, 440 F.3d at 419-20.
214. Warner, supra note 27, at 20-21.
215. RESTATEMENT (SECOND) OF AGENCY § 112 (1958).
216. See id. § 108(2).
217. See H.R. REP. NO. 98-894, at 15 (1984), reprinted in 1984 U.S.CCA.N. 3689, 3701 (excluding unauthorized access for use that is "incidental," such as doing homework or playing computer games).
218. Notably, the Third Restatement of Agency tightens some of these conceptual gaps that present opportunities for differing outcomes because it evaluates whether authority was actually present in a situation rather than whether circumstances terminated it. See RESTATEMENT (THIRD) OF AGENCY § 306 reporter's notes (2006). Under a Third Restatement interpretation of access "without authorization," section 2.01 could be used to find that the employee never had authority for the specific action because it was unreasonable for him to believe that his employer wished him to take the action of, for example, deleting incriminating files or downloading confidential information that will later be used to compete with the employer.
219. See id. § 2.01. Because the analysis would turn on whether the employee possessed authority for a specific access instance, it would not face the same issues as termination-based authority regarding the status of later instances of access. Arguably, however, the manipulability problem is not quite solved; a court could now simply use the Third Restatement construction rather than the Second, or vice versa, to reach the specific outcome they want.
220. 18 U.S.C § 1839(3) (2006); UNIF. TRADE SECRETS ACT § 1(4) (1985).
221. See Chan & Rubiner, supra note 10, at 12.
222. H.R. REP. NO. 104-788, at 7 (1996), reprinted in 1996 U.S.CCA.N. 4021, 4026.
223. See, e.g., Black & Decker (U.S.), Inc. v. Smith, 568 F. Supp. 2d 929, 930 (W.D. Tenn. 2008), interlocutory appeal granted, No. 07-1201, 2008 WL 3850825 (W.D. Tenn. Aug. .13, 2008).
224. Peter J. Pizzi, Disloyal Employees: Computer Abuse Law Turns on Meaning of 'Without Authorization', N.Y. LJ., Sept. 5, 2006, at 5, 9.
225. Warner, supra note 27, at 13.
226. See J.A.C. Hetherington, Defining the Scope of Controlling Shareholders' Fiduciary Responsibilities, 22 WAKE FOREST L. REV. 9,11 (1987).
227. See Phillips, supra note 146, at 1255.
228. GREGORY, supra note 14, at 5, (noting that agency relations may be created by "mistake");
229. see id. at 34 (discussing the creation of agency and the lack of formalities required).
230. See supra Section II.B.1.
231. See, e.g., Kerr, supra note 32, at 1650 (discussing the contract-based approach with respect to website owners and internet users).
232. Kerr, supra note 32, at 1646 ("Regulation by contract offers a significantly weaker form of regulation than regulation by code.");
233. see also Bellia, supra note 133, at 2258 (discussing due process concerns raised by allowing a network, owner's posted usage policy to potentially determine criminal liability);
234. Galbraith, supra note 9, at 345-49 (criticizing the use of an employment contract to define unauthorized access in a CFAA case).
235. Ken, supra note 32, at 1650. Because interpretations in the civil context can be applied to criminal prosecutions under the CFAA, this main concern feeds into other concerns-specifically, that the computer owner will be able to define the scope of criminality.
236. Id. at 1651. And, if it is not clear to a user that he is operating under a contract, there is the potential for due process violations.
237. Bellia, supra note 133, at 2258.
238. Kerr, supra note 32, at 1646.
239. E.g., id. 1650 (discussing the click-through restrictions a computer network owner could create to define access).
240. E.g., id. at 1646 (discussing how a seventeen-year-old can easily misrepresent her age in order to access a site that requires users to indicate
241. Bellia, supra note 133, at 2234-41;
242. Galbraith, supra note 9, at 321-24; Kerr, supra note 32.
243. Defendant Timothy C. Smith's Reply in Support of his Motion to Dismiss at 3, Black & Decker (U.S.), Inc. v. Smith, 568 F. Supp. 2d 929, 933-34 (W.D. Tenn. 2008) (No. l:07-cv-01201-JDT-sta), interlocutory appeal granted, No. 07-1201, 2008 WL 3850825 (W.D. Tenn. Aug. 13, 2008) (citing the Employment Access Agreement).
244. See supra Section II.B. 1.
245. See, e.g., Black & Decker, 568 F. Supp. 2d at 933-37 (outlining the divide between courts applying an agency-based approach and those applying a code-based approach and adopting the latter without substantial consideration of the employment agreements relating to the employee's authorization).
246. Indeed, an unconscionability analysis drawn, from contract law could unnecessarily confuse the CFAA analysis and may be a factor that courts could take into account when deciding whether to use a contract to define authorization in a particular CFAA employment case.
247. See supra Section I.C.
248. See supra Section III.B.l.
249. Ian Ayres & Robert Gertner, Filling Gaps in Incomplete Contracts: An Economic Theory of Default Rules, 99 YALE LJ. 87, 97, 128 (1989).
250. Information-eliciting penalty default rules that place the burden on employers have been found beneficial in other employment contexts where the default offers (1) more protection for employees who are generally ignorant of the laws governing their employment relationships and (2) forces the better informed employers to educate employees about the terms governing the employment relationship. Rachel Leiser Levy, Comment, Judicial Interpretation of Employee Handbooks: The Creation of a Common Law Information-Eliciting Penalty Default Rule, 72 U. CHI. L. REV. 695, 697-98 (2005).