Wednesday, July 24, 2013

The Police Officer, NCJIS and Exceeding Authorized Access


A superseding indictment returned by a federal grand jury charges Kevin Cave “with intentionally exceeding authorized access to a protected computer for private financial gain in violation of  § 1030(a)(2)(C) and (c)(2)(B)(i).”  U.S. v. Cave, 2013 WL 3766550 (U.S. District Court for the District of Nebraska 2013).  He filed a motion to dismiss the superseding indictment, claiming it “fails to state an offense.”  U.S. v. Cave, supra.  The motion would have been made under Federal Rules of Criminal Procedure Rule 12(b)(3)(B). 

The U.S. District Court judge who has the case referred the motion to a U.S. Magistrate Judge to review it and decide whether it should be granted; pursuant to the usual procedure, the Magistrate Judge considered the motion, and held a hearing on the matter. U.S. v. Cave, supra.   He issued a Report and Recommendation (R&R) that was reviewed by the district court judge, who decided whether to accept the recommendation the Magistrate Judge made. U.S. v. Cave, supra.

The R&R says Cave was “an officer with the Omaha Police Department from September 23, 2002, until September 7, 2012.” U.S. v. Cave, supra. As an OPD officer, Cave was

Train[ed] on the use of the Nebraska Criminal Justice Information System database (NCJIS). . . . NCJIS allows approved agencies to link to databases that provide information including criminal history information, driver's license information, employment information, information from penal institutions, and probation and parole information. . . .

Before accessing NCJIS, approved agencies must sign a memorandum of understanding (MOU) acknowledging the confidentiality of the information found on NCJIS. . . . Approved agencies then train users within the agency on these regulations. . . . Information found within NCJIS is for use by law enforcement personnel within their official capacity only and is not to be made public. . . .

U.S. v. Cave, supra.  The R&R also explains that OPD is an agency authorized to

use NCJIS. . . . Cave completed training and was authorized to use NCJIS on January 24, 2008, and remained authorized until September 7, 2012. . . . The government alleges that beginning on March 2, 2010, until August 21, 2012, Cave conducted unauthorized NCJIS database searches in an effort to locate certain individuals and disseminated the information to car dealerships attempting to repossess vehicles. . . .

The government alleges the car dealerships paid Cave up to $200.00 for each lead and he received a total of about $16,050.00. . . . The government alleges Cave violated 18 U.S. Code § 1030(a)(2)(C) and (c)(2)(B)(i) by exceeding his authorized access to NCJIS and obtaining information that he then made public for personal financial gain. . . .

U.S. v. Cave, supra. 

In his motion, Cave argued that the superseding indictment

should be dismissed because it `fails to state an offense for the reason the government has pled facts tending to show that [he] misappropriated information, not that he was without authorization or exceeded his authorization in accessing such information.’ . . . Cave contends he did not `exceed authorized access’ within the plain meaning of the phrase under [§1030]. . . . Cave also contends that legislative history leans towards a narrow interpretation of the phrase `exceeds authorized access’ which would exclude the misuse of information. . . .

U.S. v. Cave, supra. 

In earlier posts, I have noted that 18 U.S. Code § 1030(a) creates two “access” crimes: the “outsider” crime (access a computer without being authorized to do so) and the “insider” crime (being authorized to access a computer, the person exceeds the scope of their authorization to do so).  In other posts, I have noted that the applicability of the first crime is usually factually and legally straightforward, while the applicability of the second crime, the “insider” crime, can be more challenging. 

In his legislative history argument, Cave claimed that “looking into legislative history behind [18 U.S. Code § 1030] would support” a “more narrow interpretation of the phrase `exceeds authorized access’”. U.S. v. Cave, supra.  More precisely, he claimed “the original purpose of the statute" was "`to prohibit electronic trespassing, not the subsequent use or misuse of information.’” U.S. v. Cave, supra.  In his R&R, the Magistrate Judge explained that in in 1986, the U.S. Senate changed the

wording of [§1030]. In Senate Report No. 99–432, the Senate explained, `Section 2(c) substitutes the phrase “exceeds authorized access” for the more cumbersome phrase in present 18 U.S. Code § 1030(a)(1) and (a)(2), “or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend”’. The Committee intends this change to simplify the language[.]. S. Rep. No. 99–432, at *9 (1983). . . .

Cave contends that . . . the Senate meant to eliminate coverage of the phrase, `or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend.’ . . . Cave asserts that because the coverage of this phrase is eliminated, if Congress had intended this area to be covered Congress would have included coverage under the statute.

U.S. v. Cave, supra. 

The Magistrate Judge was not convinced.  He noted that “[i]n the 1986 Senate report, the Senators stated that the reasoning behind changing the language was only `to simplify the language’ and not to change the scope of the coverage as alleged by” Cave. U.S. v. Cave, supra.  He then found that “because the intent of the legislature as to § 1030(a)(2) was only to simplify the language, the scope of coverage was not changed, therefore using access for purposes to which authorization does not extend remains within the scope of” 18 U.S. Code § 1030(a)(2)(C). U.S. v. Cave, supra. 

The Magistrate Judge next took up Cave’s other argument, i.e., that the superseding indictment should be dismissed because its factual allegations did not show that he exceeded his authorized access to the NCJIS system. U.S. v. Cave, supra.  He began by noting that 18 U.S. Code § 1030 provides that whoever

`intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains . . . information . . . shall be guilty of a felony.’ The phrase `exceeds authorized access’ . . . means, `to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.’ 18 U.S. Code § 1030(a)(2)(C).

`A person is “without authorization” when an individual either (1) has never been granted access to the computer yet obtains access to the computer without the access-grantor's permission, or (2) has been granted access as the access-grantor's agent but loses authorization to access the computer when the agent breaches his duty of loyalty.’ NCMIC Fin. Corp. v. Artino, 638 F.Supp.2d 1042 (U.S. District Court for the Southern District of Iowa 2009). `Both inquiries focus on a person's intent at the time of accessing the computer, not on a person's subsequent misappropriation of the information or thing of value obtained from the employer's computer.’  NCMIC Fin. Corp. v. Artino, supra.  

U.S. v. Cave, supra. 

The Magistrate Judge’s R&R then reviewed the arguments both parties made on this issue, beginning with Cave, who argued that

since he at no time altered any information on the database or at no time did he lack the authorization to obtain information from NCJIS, he did not `exceed authorized access’ according to the statute. . . .. Additionally, Cave asserts he was granted full access to the information on the database, thus he did not exceed his authorized use.

U.S. v. Cave, supra. 

The Magistrate Judge then noted that the prosecution argued that Cave did not have

authorization to access the information to begin with because the search was done for an improper purpose. . . . The government does not allege that Cave conducted a proper search and then misused the information; instead the government alleges that the search was improper from the start. . . . The government contends that Cave's searches were not connected to any legitimate law enforcement activity, and therefore were not authorized. . . .

U.S. v. Cave, supra. 

In the R&R, the Magistrate Judge then found that when OPD obtained access to

NCJIS, OPD signed a MOU. The MOU specifically stated use of NCJIS is `for the purpose of improving public safety and improving the ability of criminal justice agencies in the performance of their official duties.’ . . . After OPD signed the MOU and obtained access to NCJIS, OPD trained their officers on the rules and regulations prescribed in the MOU, specifically addressing regulations pertaining to access and disclosure and the confidential nature of the information found on NCJIS. . . .

Cave allegedly accessed confidential information available through NCJIS and provided such information to car dealerships attempting to repossess vehicles. . . . In return, Cave allegedly received money. . . . OPD granted Cave access to NCJIS for the limited purposes set forth in the MOU, specifically, for the purpose of `improving the ability of criminal justice agencies in the performance of their official duties.’ Cave's actions, if proven, fit within the definition of `exceeds authorized access’ because accessing confidential information for personal financial gain is not within the aforementioned purpose.

U.S. v. Cave, supra.  The Magistrate Judge therefore recommended to the U.S. District Court judge that the motion to dismiss be denied.  U.S. v. Cave, supra. 

Cave filed an objection to the R&R with the District Court judge, claiming “the magistrate judge's interpretation `adds the new element of access with “bad intent” and ignores the plain meaning of the words and phrases employed in the statute.” U.S. v. Cave, supra.  The judge did not agree:

Contrary to Cave's argument, the magistrate judge's analysis does not add an element of intent to [§1030] it merely acknowledges the realities of Cave's authorization under the memorandum of understanding. In the R&R, the magistrate judge defines the outer limits of the authorization NCJIS and OPD granted the defendant -- not the limits of the statute. Filing No. 30 at 5 (`OPD granted Cave access to NCJIS for the limited purposes set forth in the MOU . . . accessing confidential information for personal financial gain is not within the aforementioned purpose’).

U.S. v. Cave, supra. 

The judge then pointed out that, as the prosecution pointed out, the United States

Courts of Appeals for the First, Fifth, Seventh, and Eleventh Circuits have come to the conclusion that a person granted access for limited purposes exceeds authorization when he or she pursues other purposes. See, e.g., U.S. v. Czubinski, 106 F.3d 1069 (U.S. Court of Appeals for the 1st Circuit 1997) (`Czubinski unquestionably exceeded authorized access’ when he used a database . . . for an unauthorized purpose); U.S. v. John, 597 F.3d 263 (U.S. Court of Appeals for the 5th Circuit 2010) (`“exceeds authorized access” may include exceeding the purposes for which access is “authorized”’); International Airport Centers, LLC v. Citrin, 440 F.3d 418 (U.S.Court of Appeals for the 7th Circuit 2006); (`Citrin's breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop'); U.S. v. Rodriguez, 628 F.3d 1258 (U.S. Court of Appeals for the 11th Circuit) ([government’s] policy . . . is that use of databases to obtain personal information is authorized only when done for business reasons . . . `the plain language of [1030] forecloses any argument that Rodriguez did not exceed his authorized access’ by accessing the database for other reasons).

U.S. v. Cave, supra.  He therefore entered an order denying the motion to dismiss. U.S. v. Cave, supra. 

No comments: