How do semi-nude photos, suicide and a possible decision by the US Supreme Court relate to a Nebraska decision handed down last month on the Computer Fraud and Abuse Act (“CFAA”)? Without referencing the Lori Drew case, a federal district court in Nebraska held that the CFAA “is not void for vagueness and provides sufficient notice and warning of prohibited conduct under the statute.” U.S. v. Powers, 2010 WL 1418172 *3-*4 (D. Neb. March 4, 2010).
In Drew the defendant, a 49 year-old woman, was convicted of three misdemeanor counts of violating the federal Computer Fraud and Abuse Act. She had created a MySpace account to misrepresent herself as a 16 year-old boy to harass thirteen year old Megan Meier who, as a result, committed suicide. The felony count, upon which Drew had not been convicted, was predicated on unauthorized access to the MySpace computer system with the intent to commit the tortious act of intentional infliction of emotional distress. The District court overturned the jury verdict finding that the CFAA was void for vagueness. U.S. v. Drew, 259 F.R.D. 449, 462-68 (C.D. Ca. 2009)
Chad Powers is presently charged in the District of Nebraska with intentionally exceeding authorized access to a computer and obtaining information from that computer in furtherance of the tortious acts of invasion of privacy and intentional infliction of emotional distress. The indictment charges Powers with entering the computer of Shaunna Briles and sending “via her America Online (AOL) e-mail account and addressed to individuals in her account address book” “approximately eight images of . . . Briles, partially nude and/or engaging in provocative poses.” Powers, 2010 WL 1418172 at *1. Additional emails were sent to “addresses Briles did not recognize” and another was sent to “a co-worker.” Id. Briles had provided Powers with the password for the email account, but the indictment charged Powers with “exceeding the purpose for which the password was given.” Id.
Powers moved to dismiss the indictment on the ground that the CFAA is “void for vagueness because it does not provide sufficient warning of what conduct is prohibited and denied Powers due process of law as guaranteed by the Fifth Amendment to the United States Constitution.” Id. *3. Powers asserted that the CFAA “was not enacted to protect personal computers” but rather “Congress intended the statute to protect financial and governmental institutions from intrusions by hackers seeking information or maliciously altering the computer systems.” Id. The court denied Powers motion finding that the CFAA provided adequate notice of prohibited conduct and did not lend itself to arbitrary enforcement.
This decision is significant for several reasons. First, unlike the decision in Drew it correctly disposes of the notion that the CFAA is a constitutionally infirm statute.
Second, without saying so the court is at odds with the 9th Circuits decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009) which held that a defendant’s motive in accessing the computer cannot be considered on whether “access” was authorized so long as the defendant had permission to access the computer in the first instance. Powers, like the employees in Brekka, had permission to access Briles computer and had been provided with the password to her email, but to prove that he exceeded authorized access the government will need to prove that his motive in accessing the computer was to perform acts on the computer for which he did not have permission, i.e. sending the photos to others to inflict upon Briles emotional distress and to invade her privacy.
Third, this opinion re-affirms the position taken by the vast majority of courts that Congress intended the CFAA to be applied broadly to keep pace with changing technology. If Powers is convicted, this may be the case that will reach the Supreme Court to resolve once and for all the proper scope of the statute.