United States v. John (2010)

In United States v. John, 597 F.3d 263 (2010) United States Court of Appeals for the Fifth Circuit interpreted the term "exceeds authorized access" in the Computer Fraud and Abuse Act 18 U.S.C. §1030(e)(6) and concluded that access to a computer may be exceeded if the purposes for which access has been given are exceeded.

In particular, the court ruled that an employee would exceed authorized access to a protected computer if he or she used that access to obtain or steal information as part of criminal scheme.

This case addresses the issue of the distinction between authorized access to information and subsequent use of information obtained through an authorized access for the purposes of CFAA.

Background
Dimetriace Eva Lavon John was employed as an account manager at Citigroup for approximately three years. She was authorized to access Citigroup's internal computer system, which contained customer account information, in the course of her official duties.

In September 2005, John provided Leland Riley, her half-brother, with customer account information pertaining to at least seventy-six corporate customer accounts of Citigroup customers. She collected the information from the internal computer system of Citigroup and provided it to Riley in the form of either scanned images of checks written by the account holders or printouts of computer screens, which contained detailed account information.

Riley and his co-conspirators used customer account information provided by John to incur fraudulent charges on four different customer accounts. The total amount of actually incurred fraudulent charges was $78,750.

John was found guilty by the United States District Court for the Northern District of Texas of:
 * conspiracy to commit access device fraud in violation of 18 U.S.C. § 371;
 * fraud in connection with an access device and aiding and abetting in violation of 18 U.S.C. §§ 1029 (a)(5) and (2);
 * exceeding authorized access to a protected computer in violation of 18 U.S.C. §§ 1030(a)(2)(A) and (C).

John appealed the indictment to the Fifth Circuit. She argued that she was authorized to use Citigroup's internal computer system as an employee. John contended that Computer Fraud and Abuse Act does not prohibit unlawful use of material that she was allowed to access through authorized use of a computer.

Exceeding authorized access to a protected computer
This case centers around the issue of whether an employee who was authorized to access an employer's internal computer system for the purposes of performance of her job duties should be charged for unlawful use of the information that she was authorized to access in violation of 18 U.S.C. § 1030(e)(6).

As the Fifth Circuit analyzed the case, the crucial issue was whether "authorized access" or "authorization" may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system.

§ 1030(e)(6) defines the term "exceeds authorized access" as an access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.

John contended that she was authorized to use Citigroup internal computer system and that she was permitted to view and print information regarding Citibank customers' accounts in course of her official duties. She argued that CFAA prohibits only using authorized access to obtain the information that she was not entitled to obtain, but does not impose liability for the unlawful use of the information that she was authorized to access.

There are two contrary interpretations of the term "exceeding authorized access" by the courts.

In determining what constitutes exceeding authorized access in LVRC Holdings v. Brekka, the Ninth Circuit concluded that a person who is authorized to use a computer does not exceed authorization simply by acting contrary to the computer owner's interest, but only by obtaining or altering information in the computer that she is not entitled to obtain or alter.

LVRC Holdings LLC filed a lawsuit against its former employee, Christopher Brekka, who accessed the company computer, obtained LVRC's confidential information and emailed it to himself and his wife to further his personal interest and to compete with his employer once he left the company.

The Ninth Circuit ruled that Brekka's use of LVRC's computers to email documents to his own personal computer did not exceed authorized access and violate § 1030(a)(2) or § 1030(a)(4), because Brekka was authorized to access the LVRC computers during his employment with LVRC. The Ninth Circuit stated that an employee can violate the employer-placed limits on accessing the information stored on the computer and still have authorization to access the computer. Similarly, a person who is authorized to use a computer does not exceed authorization simply by acting contrary to the computer owner's interest, but only by obtaining or altering information in the computer that she is not entitled to obtain or alter.,.

In EF Cultural Travel BV. v. Explorica, Inc. the First Circuit construed the term "exceeds authorized access" in a different way, interpreting "exceeding authorized access as exceeding the purposes for which such access was given." The court held that the former employees exceeded authorization of EF computer system in violation of § 1030(a)(4), because they breached the confidentiality agreement with the former employer and used proprietary information and know-how that they obtained while employed by EF to create a computer program allowing them to compete with the former employer.,

Fifth Circuit reasoning
Recognizing both the concept that the access to the computer is governed by the scope of the employment agreement and a concept that the employee is still considered to have an authorization to use a computer, even if he or she used a computer or information on it in a ways contrary to employer's limitations, the Firth Circuit agreed with the former interpretation elaborated on it.

The Fifth Circuit confirmed that access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded. The court further stated that an express restriction on access to a computer is in fact binding at least if the wrongdoer accesses the computer in furtherance of a criminal act.

The court found that though John was authorized to view and print all of the information that she accessed, her use of Citigroup's computer system to run in fraudulent charges was not an intended use of that system.

John's access to the Citigroup computer system was confined and she was aware of the Citigroup employee company's policies, establishing restrictions on the use of the Citigroup computer system.

Despite being aware of these policies, prohibiting misuse of the company's computer system, John accessed account information for the customers whose accounts she did not manage, removed this highly sensitive information from the Citigroup premises, and used this information to perpetrate a fraud on Citigroup and its customers.

The Fifth Circuit concluded that John exceeded authorized access to a protected computer within the meaning of CFAA. The court's reasoning was that John knew that the purpose for which she was accessing the information in a Citigroup computer system both violated the employer's internal policies and was a part of an illegal scheme.

Holding
The court affirmed John's convictions, but vacated her sentence on the ground that her sentence has been imposed without accompanying district court justification and district court's consideration of the correct sentencing range. The Fifth Circuit remanded the case for further proceedings.