Specifically, Kernell argued first, “that it is “constitutionally unfair” for Congress to “use a state common law civil cause of action in tort to transform a federal misdemeanor into a federal felony” and second, “that Section 1030 [the CFAA] is unconstitutionally vague both on its face and as applied to him. Id. The court rejected Kernell’s motion and specifically held that the CFAA’s terms “access,” “obtain,” and “information” are not vague, and the even though those terms “are not defined in Section 1030, their meaning in the context of the statute can be understood by a person of ordinary intelligence” and thus “[t]he failure to define statutory terms does not automatically render those terms vague.” Id. at *5.

The court also held that the phrase in the statute “any criminal or tortious act” is not vague” because “[t]he plain meaning of the phrase provides objective criteria that permit an individual to determine whether a particular violation of . . . [the CFAA] amounts to a felony.” Id. at *6. In short, the court held that the CFAA does not violate the due process clause of the Fifth Amendment to the U.S. Constitution. Without mentioning the Lori Drew case, U.S. v. Drew, 259 F.R.D. 449, 462-68 (C.D. Ca. 2009), the court’s decision is counter to the reasoning of that decision which found the CFAA to be unconstitutional.

In Drew the defendant, a 49 year-old woman, was convicted of three misdemeanor counts of violating the federal Computer Fraud and Abuse Act. She had created a MySpace account to misrepresent herself as a 16 year-old boy to harass thirteen year old Megan Meier who, as a result, committed suicide. The felony count, upon which Drew had not been convicted, was predicated on unauthorized access to the MySpace computer system with the intent to commit the tortious act of intentional infliction of emotional distress. The District court overturned the jury verdict finding that the CFAA was void for vagueness. U.S. v. Drew, 259 F.R.D. 449, 462-68 (C.D. Ca. 2009)

Chad Powers is presently charged in the District of Nebraska with intentionally exceeding authorized access to a computer and obtaining information from that computer in furtherance of the tortious acts of invasion of privacy and intentional infliction of emotional distress. The indictment charges Powers with entering the computer of Shaunna Briles and sending “via her America Online (AOL) e-mail account and addressed to individuals in her account address book” “approximately eight images of . . . Briles, partially nude and/or engaging in provocative poses.” Powers, 2010 WL 1418172 at *1. Additional emails were sent to “addresses Briles did not recognize” and another was sent to “a co-worker.” Id. Briles had provided Powers with the password for the email account, but the indictment charged Powers with “exceeding the purpose for which the password was given.” Id.

Powers moved to dismiss the indictment on the ground that the CFAA is “void for vagueness because it does not provide sufficient warning of what conduct is prohibited and denied Powers due process of law as guaranteed by the Fifth Amendment to the United States Constitution.” Id. *3. Powers asserted that the CFAA “was not enacted to protect personal computers” but rather “Congress intended the statute to protect financial and governmental institutions from intrusions by hackers seeking information or maliciously altering the computer systems.” Id. The court denied Powers motion finding that the CFAA provided adequate notice of prohibited conduct and did not lend itself to arbitrary enforcement.

This decision is significant for several reasons. First, unlike the decision in Drew it correctly disposes of the notion that the CFAA is a constitutionally infirm statute.
Second, without saying so the court is at odds with the 9th Circuits decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009) which held that a defendant’s motive in accessing the computer cannot be considered on whether “access” was authorized so long as the defendant had permission to access the computer in the first instance. Powers, like the employees in Brekka, had permission to access Briles computer and had been provided with the password to her email, but to prove that he exceeded authorized access the government will need to prove that his motive in accessing the computer was to perform acts on the computer for which he did not have permission, i.e. sending the photos to others to inflict upon Briles emotional distress and to invade her privacy.

Third, this opinion re-affirms the position taken by the vast majority of courts that Congress intended the CFAA to be applied broadly to keep pace with changing technology. If Powers is convicted, this may be the case that will reach the Supreme Court to resolve once and for all the proper scope of the statute.