The Computer Fraud and Abuse Act (CFAA) (See 18 U.S.C. § 1030) is a law that generally prohibits intentionally accessing a computer, without authorization, and obtaining information from a protected computer. Though Congress decided to leave interpretation of “without authorization” to the courts. This causes some uncertainty in analyzing whether certain online behavior might be illegal – especially when the computer that is accessed is a publicly accessible computer. This leads us to United States v. Auernheimer.
Auernheimer and his friend Spitler discovered a publicly accessible page on AT&T’s website that displayed subscriber email addresses when prompted with a unique ICC ID serial number. This page was available to anyone that had the URL (which, as of 1/21/2015, is still publicly available at: https://dcp2.att.com/OEPNDClient/openPage?ICCID=). Auernheimer and Spitler realized that these unique ICC ID serial numbers followed a predictable pattern. The pair wrote a script that could gather email addresses by feeding the page with these predictable ICC ID serial numbers. In all, they ended up collecting around 114,000 different email addresses.
At trial in United States v. Auernheimer the key issue was determining the meaning of “without authorization” under the CFAA. And, more importantly, whether Auernheimer (Spitler accepted a plea deal and never went to trial) intentionally accessed AT&T’s web servers without authorization.
The government argued that Auernheimer accessed AT&T’s web servers “without authorization” because AT&T did not design nor intend the page to be publicly available. And Auernheimer argued the page was publicly available which, by default, should grant him authorization to access the page.
The District Court looked to the 6th Circuit’s decision in Pulte Homes to help determine what “without authorization” means:
Congress left the interpretation of “without authorization” to the courts, we again start with ordinary usage. The plain meaning of “authorization” is “[t]he conferment of legality; … sanction.” Commonly understood, then, a defendant who accesses a computer “without authorization” does so without sanction or permission.
In convicting Auernheimer, The District Court reasons that Auernheimer accessed AT&T’s website without permission – and therefore without authorization. However, the Court mysteriously fails to convincingly identify where Auernheimer lost the permission to access a publicly available website.
Fortunately for Auernheimer, the 3rd Circuit overturned the conviction on appeal. Unfortunately though, the 3rd Circuit opted to forego answering the salient question of “what does ‘without authorization’ mean?” Instead, the 3rd Circuit issued an opinion vacating Auernheimer’s conviction on the basis that venue in New Jersey was improper. United States v. Auernheimer, 748 F. 3d 525 (3rd Cir. 2014).
Though the 3rd Circuit did not address the substantive question of the legality of Auernheimer’s use of a script to access the AT&T page, they appeared skeptical of the original conviction. The 3rd Circuit noted that “no evidence was advanced at trial that the [script] ever breached any password gate or other code-based barrier. The [script] simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.” Auernheimer, 748 F. 3d at 534 n.5.
So the answer appears to be, based on the footnote in the 3rd Circuit’s opinion in Auernheimer, if you are not breaching a password gate or other code-based barrier, you can not be convicted of accessing a publicly available page “without authorization.”