On March 17, the New York Times covered a new item on the growing list of high-profile data breaches with its article detailing how a British political consulting firm, Cambridge Analytica, obtained personal information from millions of Facebook users by way of a low-profile researcher. The revelation sent shock waves through the online community, and the public outcry was swift and resounding. As more details emerge, Facebook and Cambridge Analytica will continue to face political and legal repercussions from all angles—with one possible legal instrument being the Computer Fraud and Abuse Act (CFAA).
As we previously outlined in a prior post, the leak was the result of a series of data sharing steps and relationships—only one of which was restricted under Facebook’s terms.
First Step – Initial Users. Dr. Aleksandr Kogan, a Cambridge University researcher, launches a research project by offering a personality quiz through a Facebook app that attracts 270,000 users, who consent to sharing their data with Dr. Kogan for research purposes.
Second Step – Facebook Friends. Dr. Kogan’s app further harvests personal information from the profiles of the users’ Facebook friends to build a data cache that includes information from a reported 87 million Facebook users. These additional Facebook users did not affirmatively consent to sharing their data, but Facebook’s policies permitted Dr. Kogan to gather their information for purposes of improving the user experience of his app. However, the same policies barred selling the personal information or using it for advertising.
Third Step – Cambridge Analytica. During this entire process, Cambridge Analytica served as the financial backing for the research project and, in exchange for its funding, received a copy of the collected data from Dr. Kogan. After Dr. Kogan transferred the data to Cambridge Analytica, the firm used the information as part of its political consulting business. This transfer was a violation of Facebook’s policies that are mentioned above.
Although this breach could implicate a variety of theories under the piecemeal legal framework surrounding data breaches, it provides a particularly salient case study for the current state of the CFAA.
Congress enacted the CFAA in 1986 as an anti-hacking statute aimed at addressing a growing fear of computer-related crimes in an era that predated the modern form of the internet. Specifically, the CFAA proscribes unauthorized access to a protected computer in the form of either (i) access without authorization, or (ii) use that exceeds authorized access. It is a criminal statute that provides a private right of action for certain aggrieved parties, but, unlike common law trespassing, it does not require proof of diminished server capacity. The CFAA has become increasingly popular as of late, but its resurgence has been met with controversy as prosecutors and other parties regularly attempt to stretch the extent of its application to address contemporary issues in cyber law. Nonetheless, the Facebook-Cambridge Analytica saga outlines several nuances of “unauthorized access” under the CFAA and highlights one of its more contentious features.
Access without authorization under the CFAA requires either (a) access without permission, or (b) access after permission is revoked. In Dr. Kogan’s case, this issue is fairly straightforward because he had permission to access and to gather the personal information in question. Indeed, Facebook confirmed this with a statement that Dr. Kogan “gained access to this information in a legitimate way and through proper channels.” But, did Dr. Kogan exceed the scope of this authorized access?
The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” In this case, not only did Dr. Kogan have legitimate authorization from Facebook to access and gather the information, but he never overstepped the bounds of this permission. If Dr. Kogan did anything to violate his authorization, it was the ultimate use of the data—that is, the transfer to Cambridge Analytica for its political consulting business—and not his access thereto. With respect to the importance of the distinction between violations of use-based restrictions and access-based restrictions under the CFAA, there is currently a circuit split in the American courts. Most courts downplay the importance of the distinction between violations of use-based or access-based restrictions, but, notably, the Court of Appeals for the Ninth Circuit recently held that a CFAA claim for exceeding authorized access may not be based on a defendant’s violation of a use restriction rather than access restrictions. Thus, for any lawsuits that assert a CFAA violation in this case, liability could turn on which circuit court’s law applies.
As data breaches and the application of the CFAA continue to fill headlines, the courts will continue to be tasked with interpreting and applying an aging statute to cutting-edge legal issues. Without action by Congress, and in light of the Supreme Court’s recent decision to not weigh in on the matter, watch for the lower courts to determine the extent of the CFAA’s application through divided guidance from the circuit courts of appeal, including on whether or not impermissible downstream use of data can transform otherwise authorized access into proscribed unauthorized access.