Problems with the NFT “Insider Trading” Case

Last month the U.S. Attorney’s office for the Southern District of New York announced, with considerable fanfare, that it had brought charges in the “first ever digital asset insider trading scheme.” Prosecutors charged the defendant, Nathaniel Chastain, with using inside information to purchase NFTs that were about to be featured on his employer’s digital marketplace and then resell them at a substantial profit.

The Department of Justice may have been looking to make a splash and send a signal that it is cracking down on crime related to crypto assets. But despite the flashy headlines, this is not an insider trading case. In fact, it’s not clear it should be a criminal case at all.

Picture of different cryptocurrencies

Facts of the Chastain Case

Non-Fungible Tokens, or “NFTs,” are digital assets that are stored on a blockchain, a digital, centralized ledger of transactions. NFTs are unique digital identifier codes that are associated with a particular digital object, such as a piece of digital art. Although digital images can be reproduced, only the owner of the NFT can be said to own the original digital work, which is considered more valuable – sort of like the difference between owning an original Renoir and a print. The Bored Ape Yacht Club, which features thousands of NFTs of cartoon ape characters, is a well-known example.

Chastain worked at OpenSea, the largest online marketplace for the purchase and sale of NFTs. Beginning in May 2021, OpenSea regularly featured particular NFTs at the top of its website’s homepage. Once featured on OpenSea, an NFT usually would rapidly increase in value due to a sudden rise in popularity and demand.

According to the indictment, Chastain was in charge of selecting which NFTs would be featured on OpenSea’s homepage. As OpenSea’s employee, he had an obligation to keep this company information confidential and not exploit it for his own use. But between June and September 2021 he allegedly used this advance knowledge to purchase dozens of NFTs shortly before they were featured on OpenSea. He then sold them at a profit after they were featured and their value rose.

This was not a big-dollar case. The indictment doesn’t specify how much money was involved (which itself is a bit unusual). But in court when he was arraigned, his attorneys claimed that Chastain made only about $65,000 from the scheme.

An interesting aspect of this case is that it appears others in the Crypto-NFT community were the first to figure out what was going on and flag it publicly:

This apparently led OpenSea to fire Chastain and ultimately led to his prosecution. This was possible because what happens on a blockchain is basically public, if you know where to look. (That may have implications for the money laundering charge, as discussed below.)

The Definition of Insider Trading

The very first line of the indictment claims, “This case concerns insider trading in Non-Fungible Tokens or ‘NFTs’ on OpenSea , the largest online marketplace for the purchase and sale of NFTs.” But this is not an insider trading case – at least, not as that term has been used for decades.

Insider trading involves using material, nonpublic information to buy or sell securities in violation of a duty of trust and confidence. Classic or traditional insider trading involves a corporate officer using nonpublic company information to trade shares in her own company, in violation of the duty she owes to her shareholders. Under the “misappropriation theory,” someone who is not a corporate insider but who uses nonpublic information to trade securities in violation of some duty of trust and confidence may also be guilty of insider trading. That duty may arise from trusted relationships such as that between attorney and client or between an employee and an employer.

The Chastain indictment uses some misappropriation theory language that makes the case sound like insider trading. It alleges that Chastain “misappropriated information from his employer, OpenSea, in violation of a duty of trust and confidence that he owed the company, and then used that information to buy and sell the NFTs.”

In an insider trading case the “victim” is the investing public; it’s really a crime against the securities markets. In a true misappropriation theory case the crime is not the breach of a duty (to an employer, in this case) – it’s using the information obtained via that breach to then buy or sell securities. But in this case the government has alleged that the victim is Chastain’s employer, OpenSea. They have charged Chastain with defrauding OpenSea by taking confidential company information and converting it to his own use.

The bull sculpture on Wall Street

NFTs Are Not Securities – and This Isn’t Insider Trading

Insider trading is a species of securities fraud. It’s a crime against the public securities market that damages investor confidence in those markets. As such, it is typically charged as a violation of the Securities Exchange Act of 1934, specifically 15 U.S.C. § 78j and Rule 10b-5 of the Securities Exchange Commission, which prohibit using any manipulative or deceptive device in connection with the purchase or sale of a security. Insider trading may also be charged under a more recent statute, 18 U.S.C. 1348, which also applies to fraud in connection with publicly-traded securities.

The first requirement of these charges is that the fraud was in connection with the purchase or sale of a “security.” But NFTs generally are not considered securities for purposes of these laws.

NFTs obviously are not publicly-listed securities traded on stock exchanges. But other kinds of investments may also qualify as securities under some circumstances. To determine whether an investment is a security, courts apply what is known as the Howey test, named for an early Supreme Court case. Under that test, characteristics of a security include a common enterprise or horizontal connection among various investors whose fortunes are tied to each other, and a vertical connection between investors and the promoters of the investment, with investors depending on profits that will be derived from the efforts of others. Think of the different shareholders investing in a company as the classic example.

Some crypto assets such as cryptocurrencies could potentially qualify as securities — that is currently a matter of considerable debate and uncertainty. But NFTs are more like collectibles or artwork. The closest analogy is buying a painting. If I buy an individual work of art, I am not involved in a common enterprise with any other investors. I may hope that it will increase in value, but I’m not depending on the work of others to make that happen. So when I buy my original Renoir, I am not purchasing a “security” under the Howey test.

Whether the NFTs sold on OpenSea qualify as securities might be a legal issue fought out in some future case (although I think the answer is pretty clear), but it’s not going to be an issue in the Chastain case. For despite calling this an “insider trading” prosecution, the government has not alleged that the NFTs Chastain bought and sold were securities.

If we are not talking about securities, then securities fraud charges — including insider trading — are not an option. And indeed, prosecutors have not employed the statutes that are used to prosecute insider trading. They did not charge Chastain with violating the Securities Exchange Act or other securities fraud statutes. Instead, they charged him with wire fraud.

A final indication that this is not a securities fraud case is the absence of the Securities Exchange Commission. Typically a securities fraud prosecution would involve investigators and agents from the SEC. Here the case is being pursued only by the FBI, working with the DOJ prosecutors.

In short – this is not an insider trading case, despite the headlines and indictment language to the contrary.

Carpenter v. United States

So if this is not an insider trading case, what kind of case is it? Prosecutors have charged Chastain with defrauding his employer, OpenSea, by taking its confidential business information and using that information for his own benefit. The lead charge is good old wire fraud, 18 U.S.C. § 1343 – the prosecutor’s best friend.

There’s no allegation that Chastain harmed any of those who purchased the NFTs after he bought them, or that he owed them any kind of duty. And there’s no evidence that they were actually harmed, since Chastain’s actions didn’t drive up the price and presumably they would have bought the featured NFT regardless of who owned it.

At a court hearing, prosecutors alleged that the landmark 1987 Supreme Court case of Carpenter v. United States supports the wire fraud charge. Carpenter involved a reporter at the Wall Street Journal named R. Foster Winans who wrote a column called “Heard on the Street.” Because of the column’s influence, the stock price of companies he discussed could be expected to rise or fall in response to its publication. Winans entered into a scheme with some stockbrokers to buy and sell stocks before the column was published, using his advance knowledge of the column’s contents. They then profited from changes in the stock prices after the column was published.

Unlike Chastain, Winans actually was prosecuted for insider trading under the misappropriation theory, with the government alleging he had misappropriated the column information in violation of his duty to the Journal. That conviction was upheld by the Second Circuit Court of Appeals, but the Supreme Court evenly divided on the question. When that happens the judgment is affirmed but the case has no value as precedent. (The Supreme Court did not fully embrace the misappropriation theory until ten years later in United States v. O’Hagan.)

But as an alternative theory, prosecutors charged Winans with mail and wire fraud. They alleged he had defrauded the Journal of its intangible business property, in the form of the content of the upcoming column. Unlike with the securities fraud charge, in the mail fraud charge the victim was Winans’ employer, the Journal. His use of the information in the upcoming columns, prosecutors argued, deprived the Journal of its exclusive right to its confidential business property. The Supreme Court upheld this basis of criminal liability.

Image of US Supreme Court, which decided the Bob McDonnell case
United States Supreme Court

Were OpenSea’s Business Plans Property?

On its face, the Chastain case does sound a lot like Carpenter. But prosecutors may face one significant hurdle: proving that the information used by Chastain amounted to “property” for purposes of wire fraud.

The Supreme Court has repeatedly held that fraud requires that the defendant deprived the victim of property. Economic or business interests that do not constitute property cannot form the basis of a fraud charge. The Court’s trend for the past few decades — ever since Carpenter, in fact — has been to limit the reach of the federal fraud statutes by narrowly interpreting this property requirement.

The most recent example was the Court’s 2020 decision in the “Bridgegate” case, Kelly v. United States. There the Court unanimously rejected the government’s theory that the defendants had defrauded the New York/New Jersey Port Authority through a scheme to close traffic lanes on the George Washington Bridge. The Court held that the Port Authority’s power to control access to the bridge, the power of “allocation, exclusion, and control” – although undoubtedly valuable — was not a property interest for purposes of federal fraud laws.

In Carpenter, Winans had argued that the content of the upcoming column was not a property interest and was too intangible to form the basis of a fraud charge. But the Court rejected that claim, holding that the contents of the column amounted to intangible business property, akin to intellectual property such as patents or copyrights.

Prosecutors will argue that Chastain likewise misappropriated the intangible business property of OpenSea. But it’s not clear that argument will fly. A good definition of “property” is a bundle of rights in something that can be possessed, exclusively enjoyed, and transferred to others. That was true of the contents of the “Heard on the Street” column: the Journal owned it exclusively, controlled it, and could have transferred it — by selling the content to another publication, for example. The contents of the column were thus intangible property akin to other intangibles such as patents, which can be exclusively enjoyed or licensed or sold to others.

It’s not clear this is true of OpenSea’s plans for its homepage. The internal plan regarding what NFT to feature is not an asset that could be sold or licensed to someone else. That information may be valuable to OpenSea and it may wish to keep it confidential, but that does not mean it is a property interest for purposes of federal fraud laws. Again, misuse of such information might support an insider trading charge — if we were talking about trading securities. But I’d argue that misuse of internal company plans does not amount to property fraud.

To prove wire fraud, prosecutors will have to prove not merely that Chastain improperly used OpenSea’s private business information, but that he deprived the company of property. I think that will be an uphill battle.

The “Loss of Control” Theory

It’s possible prosecutors intend to rely on the “loss of control” theory to argue that Chastain engaged in fraud. That theory holds that a defendant engages in fraud when he deprives a victim of potentially valuable information that would help the victim decide how to use his assets. The government’s theory might be that Chastain, by deceiving OpenSea and concealing his misuse of its business information, deprived OpenSea of valuable information it otherwise would have use to decide how to control its website, or its business in general.

This “loss of control” theory has been controversial for years. The Second Circuit (where the Southern District of New York is located) has repeatedly approved it, while other circuit courts have disagreed and held it does not amount to fraud. On the final day of its most recent term, the Supreme Court finally granted review in a case, Ciminelli v. United States, where the question presented is whether “loss of control” is a valid fraud theory. In line with the trend over recent decades, I expect the Supreme Court is going to say no. As a result, even if the prosecutors in Chastain were hoping to rely on the theory, that may become impossible.

Picture of $100 bills on a clothesline

The Money Laundering Charge

Prosecutors also charged Chastain with one count of money laundering for allegedly using anonymous OpenSea accounts, rather than the account in his own name, to conceal his purchase and sale of various NFTs. The indictment is pretty vague on this point, but it’s not clear that the money laundering charge will hold up either.

I’ve discussed this issue in connection with other prosecutions, including the Varsity Blues case. Just because you use secret bank accounts or take other sneaky steps to try to conceal what you are doing, that does not constitute money laundering. Money laundering requires that the transactions be in criminal proceeds – funds generated by another criminal activity. In other words, in order to launder money, it needs to be “dirty” in the first place. If Chastain purchased NFTs using his salary or other “clean funds,” that would not be money laundering just because he used an anonymous OpenSea account to do it.

Another crypto-related wrinkle in the money laundering charge is that transactions on a blockchain are public – indeed, that is one of blockchain’s central features. That explains how others in the crypto community were so easily able to see what Chastain was doing and raise questions about it. Given that, does using other blockchain accounts really amount to an effort to conceal transactions sufficient to support a money laundering charge?

It may be that prosecutors will allege that once Chastain bought and sold the first NFTs, all subsequent purchases and sales used the allegedly criminal proceeds of those early transactions. But that would still leave the issue of whether there was really any concealment, given the public nature of blockchain transactions. Again, the indictment is not very specific so it remains to be seen – but as of now, I have my doubts about the money laundering charge as well.

Employee Misconduct Is Not Necessarily Fraud

The indictment alleges that Chastain had a duty to OpenSea to keep the information about featured NFTs confidential and that he violated that duty. But that merely establishes that he was a bad employee. Employee misconduct is not necessarily criminal. As another court of appeals once held, the federal fraud statutes are not supposed to serve as a “draconian personnel regulation.” Chastain may have deserved to lose his job and to be treated with disdain in the crypto community. That doesn’t mean he deserves to go to jail.

I’ll be watching to see how this case unfolds. But if federal prosecutors were trying to show that they are cracking down on crypto-related crime, they picked a pretty lame showcase.

Update: After this post was written, on July 21 the same U.S. Attorney’s Office announced the first “insider trading” case involving cryptocurrency. Prosecutors charged a former Coinbase employee, Ishan Wahi, and two co-defendants with trading on information about which tokens would be listed on Coinbase’s exchange. This case has the same issues discussed above: although prosecutors called it “insider trading,” it really isn’t. Prosecutors have charged wire fraud, not securities fraud, and will face the same hurdles. In Wahi, the SEC has also filed a civil complaint, alleging that the tokens traded do qualify as “securities.” But in the criminal case, just as in Chastain, prosecutors have not charged securities fraud and have not alleged that the cryptocurrencies were securities.

Like this post? Click here to join the Sidebars mailing list

Supreme Court Narrows Cybercrime Law

Last week the Supreme Court decided an important case concerning the scope of the federal government’s main cybercrime law, the Computer Fraud and Abuse Act. I wrote this post about the case, Van Buren v. United States, late last year when it was argued. As I expected, the Court has ruled in favor of the defendant and rejected the government’s sweeping interpretation of the CFAA. That was a welcome development — but the Supreme Court’s Van Buren decision leaves unresolved at least one important question concerning what kinds of computer-related misconduct might still be subject to prosecution.

Van Buren’s Prosecution

This case involves a particular subsection of the CFAA, 18 U.S.C. §1030(a)(2)(C). Under that subsection, a person commits a crime if he “accesses a computer without authorization or exceeds authorized access, and thereby obtains information” from that computer. The term “exceeds authorized access” is further defined to mean, “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6). The key issue in the case was what it means to “exceed authorized access” under this provision.

Nathan Van Buren was a police officer in Cumming, Georgia.  In exchange for a bribe, he searched a police database for a vehicle license plate number. The person who paid the bribe, Andrew Albo, told Van Buren the car belonged to a woman he had met and he wanted to be sure she was not an undercover police officer. Van Buren knew that, pursuant to police department policy, he was allowed to use the database only for legitimate law enforcement purposes. What he didn’t know was that Albo was actually cooperating with the FBI in an undercover investigation.

Van Buren was convicted for violating section 1030(a)(2). There was no question he was authorized to access the police database. But the government argued Van Buren had exceeded his authorized access, and thereby obtained the license plate information, by performing the search for an improper purpose – namely, in exchange for a bribe.

Van Buren argued that the CFAA is primarily a computer hacking statute. He claimed the prohibition against exceeding authorized access criminalizes obtaining information from a computer only when a person has no right at all to access that information. It does not apply to obtaining otherwise accessible information for an improper reason – which is what Van Buren did when he ran the license plate number, in a database where he was authorized to be, in exchange for a bribe.

The government had argued for a broader interpretation. It claimed the prohibition against exceeding authorized access applies whenever a defendant was not entitled to obtain the information under the circumstances in which he did — even if he could have properly obtained that same information under other circumstances. Here, Van Buren was authorized to access the database to obtain license plate information for legitimate police purposes. But, the government argued, he exceeded his authorized access when he searched that same database in exchange for a bribe.

Justice Amy Coney Barrett

The Court’s Decision

Writing for a 6-3 majority, Justice Barrett found that Van Buren had the better of the argument. Much of the opinion is devoted to a detailed parsing of the statutory language. But in the end, it mostly came down to the meaning of one little word: “so.” 

The statutory definition of “exceeds authorized access” prohibits obtaining information that the defendant is not entitled “so to obtain.” The word “so,” Barrett wrote, requires an antecedent; it necessarily refers back to a “word or phrase already employed.” In this statute, she wrote, the antecedent is the act of accessing of a computer. “So to obtain” therefore refers to obtaining information by accessing a computer, as opposed to by some other means. Because Van Buren was authorized to obtain license plate information from this database, he was authorized “so to obtain” the information that he did. Doing so for an improper reason did not exceed his authorized access within the meaning of the statute.  

The government had argued that “so to obtain” prohibits any obtaining of information under circumstances or conditions that were not authorized. The problem with the government’s approach, Barrett wrote, is that  “the relevant circumstance—the one rendering a person’s conduct illegal—is not identified earlier in the statute. Instead, ‘so’ captures any circumstance-based limit appearing anywhere—in the United States Code, a state statute, a private agreement, or anywhere else.”  But, she wrote, the word “so” is not a “free floating term that provides a hook for any limitation stated anywhere.” Van Buren’s approach, which links the word “so” to a specific statutory provision, is the more logical reading of the statute.

Hackers and Gates

The majority agreed with Van Buren that this portion of the CFAA is concerned with “hackers” — a term that the Court uses rather loosely. The prohibition against accessing a computer without authorization applies to “outside hackers,” those who break into a computer system from the outside. The prohibition against exceeding authorized access complements this provision “by targeting so-called inside hackers—those who access a computer with permission, but then ‘exceed’ the parameters of authorized access by entering an area of the computer to which [that] authorization does not extend.” Van Buren was not an “inside hacker,” however, because he did have authorization to be in that database.

The majority also described this approach as a “gates up or gates down” analysis: “one either can or cannot access a computer system, and one either can or cannot access certain areas within the system.” The CFAA is violated when an individual breaches one of these “gates” without authorization. It is not violated when an individual is authorized to open the gate but does so for an improper reason.

The Parade of Horribles

Justice Barrett concluded by noting that the government’s position, if adopted, “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Much of the oral argument last November had focused on this so-called “parade of horribles.” Van Buren argued that under the government’s interpretation an employee would violate the CFAA by using a work computer for personal emails or online shopping if that was prohibited by company policy. Violating a website’s terms of use policy might also qualify, which could criminalize conduct such as lying in an online dating profile. In short, she concluded, “If the ‘exceeds authorized access’ prohibition criminalizes every violation of a computer use policy, then millions of otherwise law-abiding citizens are criminals.”

“In sum,” Barrett concluded, “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off limits to him.” Because Van Buren did have authority to be in this police database, his use of that database in a way contrary to police department policy did not violate the CFAA.

Justice Thomas
Justice Clarence Thomas

The Dissent

Justice Thomas dissented, joined by Chief Justice Roberts and Justice Alito. He argued that the plain language of the statute resolved the case. “An ordinary reader of the English language,” he wrote, would agree that Van Buren exceeded his authorized access when he used the police database for an improper purpose. Thomas also argued the majority’s interpretation was contrary to traditional common-law property rules that criminalize the behavior of someone authorized to use another’s property who then exceeds the scope of that authorization.

Thomas noted that the majority’s interpretation placed a great deal of misconduct out of reach of the CFAA. Suppose, he argued, a scientist was authorized to obtain blueprints for atomic weapons under some circumstances. According to the majority, that scientist would therefore be “immune” if he obtained those blueprints for the improper purpose of helping an enemy power.

Finally, Thomas rejected the parade of horribles argument, suggesting that such concerns were speculative and far-fetched: “I would not give so much weight to the hypothetical concern that the Government might start charging innocuous conduct and that courts might interpret the statute to cover that conduct.”

Analysis of the Opinion

As I argued in my earlier post, I think the majority got it right here. Its interpretation is most in line with the overall purpose of the CFAA: preventing unauthorized intrusions into computer files owned by others. And it avoided the interpretation that would have made unwitting criminals of the vast majority of computer users – whether or not such cases would ever be prosecuted. Ruling against Van Buren would have turned the CFAA into a draconian personnel regulation.

I was surprised that the rule of lenity did not come into play in the majority’s decision. Frequently invoked in white collar cases, the rule provides that if there is any ambiguity in a criminal statute the court will err on the side that favors the defendant. It’s based on the rule that due process requires criminal prohibitions to be clear so people can know what is and is not permissible. The majority dismissed the rule of lenity as unnecessary, stating its interpretation was so clearly correct reliance on the rule was unnecessary. In a complex statutory case decided 6-3, I think that displays a certain — lack of humility.  Shocking, I know.

Scene from Casablanca

As for Justice Thomas’s arguments about property law, the majority reasonably pointed out that common law property doctrines – many of which have their roots in medieval England – don’t necessarily adapt well to the area of cybercrime. Better to focus on the precise definitions in this particular statute, which deals with a very specialized area.

Thomas’s concern about the nuclear scientist who sells weapons blueprints being “immune” from liability is not well-founded. Such wrongdoers are not immune; other statutes, such as those against espionage, would easily cover that criminal conduct. There is no need to stretch the boundaries of the CFAA to cover it as well. Van Buren engaged in misconduct and deserved to be punished, but a conviction under the CFAA is far from the only way to do that.

When it comes to the parade of horribles, here I am more inclined to agree with the dissent. Many white collar statutes potentially encompass relatively trivial conduct that, in the real world, is never prosecuted. It’s unlikely that if the case had gone the other way we would have seen a wave of prosecutions of employees for unauthorized Facebook use at work. But here Thomas was swimming against the tide of a Supreme Court trend. In a series of recent decisions the government has argued for broad interpretations of criminal statutes by saying essentially, “trust us – even if this interpretation might criminalize some trivial conduct, we won’t bring those cases.” The Court has refused to go along. Van Buren is in accord with this line of cases.

The 6-3 Breakdown

The breakdown of the Justices in the majority and dissent is interesting.  The newest, Trump-appointed Justices – Barrett, Kavanaugh, and Gorsuch – joined with the liberals – Breyer, Sotomayor, and Kagan – to form the majority. The other three conservatives – Thomas, Roberts, and Alito – were the dissenters.

Most of the conservatives on the Court profess to be textualists, whose decisions are driven primarily by the plain words of a statute. Indeed, Justice Barrett began her analysis by stating: “we start where we always do: with the text of the statute.” Both of the opinions seek support from the same book on statutory interpretation, which was co-authored by the late Justice Scalia, the father of modern textualism. The competing opinions are an interesting study in how even committed textualists can disagree over what the statutory language actually requires.

Some might also have expected the Trump appointees to vote to expand prosecutorial power, not to restrain prosecutors and free a criminal defendant. But decisions in criminal cases frequently do not break down along such ideological lines. Scalia, who is revered by today’s conservative Justices, was a strong voice against the expansive reading of criminal statutes and often ruled in a defendant’s favor. The Van Buren majority’s approach to the case is in the finest Scalia tradition.

gate

What Kind of Gate Will Suffice?

The Van Buren decision does leave one major question unanswered. As noted above, the majority adopts a “gates up, gates down” analysis: the question is whether the defendant was authorized to be inside a particular file, database, or folder, or whether that area of the computer was off limits. But it did not answer a key question: what kind of “gate” will satisfy the statute?

Computer crime expert professor Orin Kerr argued in an amicus brief that the CFAA requires a technological gate. The information must be protected by a password or similar electronic barrier that the defendant breached, or “hacked,” without authorization, even if he was otherwise authorized to be inside the computer system that contained that information. But there are other possible kinds of gates as well, such as those imposed by a contract or office policy.

For example, consider an employee at a large company who works in the purchasing department. He is authorized to access the areas of the company’s computer system that relate to his job, but is not authorized to access employee personnel records that are contained within the same system. If those personnel records are contained in a separate folder that requires a unique password, that would be a technological “hard gate.” If the employee steals that password to access the records, he would exceed his authorized access by breaching that gate.

Now suppose the personnel folder does not require a separate password but is potentially accessible to anyone already inside the company’s computer system. But company policy and the employee handbook clearly prohibit any employee not working in human resources from accessing the personnel folder. If our employee in purchasing accesses the personnel records in violation of that policy, he has breached a “soft gate” – in this case, one imposed not by technology but by a written requirement.

In footnote eight of the opinion, the Court (while citing Professor Kerr’s brief) expressly says it is not resolving this question: “For present purposes, we need not address whether this inquiry turns only on technological (or “code-based”) limitations on access, or instead also looks to limits contained in contracts or policies.” But for now it appears either kind of limit would qualify under the majority opinion. The dissent also interprets the majority opinion that way, arguing that under the majority’s approach an employee could be prosecuted for playing a game of solitaire if company policy prohibited him from opening the “games” folder on his work computer.

The majority opinion and the metaphor of a “gate” suggest there does have to be some kind of barrier or partition, even if that only consists of storing the information in a separate file or folder. It envisions a computer system with different compartments or areas of data. Exceeding authorized access would mean the information obtained would not automatically be accessible to the employee based on his level of access, and he would have to take some additional step to reach it – which could mean simply clicking on a different folder. But exactly what kind of barrier would suffice, and whether some more significant steps by the employee would be required, is left unclear.

Portions of the majority opinion, such as the reference to those who exceed authorized access as “inside hackers,” do imply some kind of technological barrier or hard gate. The majority also criticized the dissent’s interpretation of “so” in part because it could make criminality turn on external factors like office policies outside the statute itself. But if a soft gate is sufficient to define the limits of an employee’s access, then the same issue arises; it’s simply been bumped from the definition of “so” to the definition of “authorized.” That might suggest the majority would require a hard gate if confronted with a case squarely raising that question.

But all that being said, it’s hard to find the requirement of a password or other technological gate in the definition of “authorized.” If an employee opens a folder that his contract or office policy forbid him to open, his actions seem pretty clearly “unauthorized,” even if no stolen password is required.

A requirement of a technological gate to define the scope of authorization would be much cleaner and easier to enforce. But we will have to await future court decisions – or a clarifying amendment by Congress – to learn whether that is required by the statute.

Like this post? Click here to join the Sidebars mailing list