Embed Size (px)
Citation preview
16
(N.Y. 2009)). With such technology at the government’s disposal, “[t]he whole of a person’s
progress through the world, into both public and private spatial spheres, can be charted and
recorded over lengthy periods . . . .” Weaver, 909 N.E.2d at 1195. Now, prolonged tracking is
“not merely possible[,] but entirely practicable . . . .” Id. The emergence of such technology “will
continue to shape the average person’s expectations about the privacy of his or her daily
movements.” Jones, 132 S.Ct. at 963 (Alito, J., concurring).
The Supreme Court’s previous technology-based decisions do not apply because the
extended surveillance of Leomund by federal officers lasted far beyond a single destination and
beyond a single day. In total, officers monitored Leomund for sixteen (16) days and twenty
minutes (20) without a warrant. J.A. 15-16. The sixteen (16) day surveillance revealed a number
of private details of Leomund’s life, from visiting a urologist and psychiatrist’s office, to
attending a gentlemen’s club. Id. at 15. It was not until day sixteen that federal officers had
specific evidence that Leomund had anything to do with the leak of the Phyresis pathogen. Id. at
16. Prior to that time, Leomund’s private affairs became known to the federal officers, all of
which were irrelevant to the access of CDC-Secure. Id. at 15. Allowing that amount of extended
surveillance, only to have something relevant on day 16, is a clear violation of Leomund’s
expectation of privacy that society would consider reasonable. Therefore, an unreasonable search
has occurred, in violation of the Fourth Amendment.
ARGUMENT
I. LEOMUND DID NOT VIOLATE THE COMPUTER FRAUD AND ABUSE ACT BECAUSE THE TERM “WITHOUT AUTHORIZATION” ONLY CONTEMPLATES UNAUTHORIZED ACCESS, NOT UNAUTHORIZED USE
The Computer Fraud and Abuse Act (“CFAA”) is a federal statute enacted primarily to
combat computer hacking. WEC Carolina Energy Solutions, LLC. v. Miller, 687 F.3d 199, 201
17
(4th Cir.2012) (citing A.V. ex rel. Vanderhye v. iParadigms, LLC., 562 F.3d 630, 645 (4th
Cir.2009)). The CFAA prohibits a number of crimes relating to computer use, including the
prohibition of any individual who “intentionally accesses a computer without authorization . . . .”
18 U.S.C.A. §1030(a)(2). A violation of the CFAA exposes an individual to both criminal and
civil liability. Miller, 687 F.3d at 201. However, “authorization” is not defined by the CFAA. In
interpreting the meaning and scope of “authorization”, the Fourth and Ninth Circuits apply the
narrow interpretation, which requires the plain meaning of the term to be examined. Miller, 687
F.3d at 203; LVRC Holdings v. Brekka, 581 F.3d 1127, 1130, 1132 (9th Cir.2009). In other
words, the “‘ordinary, contemporary, [or] common meaning’” of the term will be used. Id. at
1133 (quoting Perrin v. United States, 444 U.S. 37, 42 (1979)). On the other hand, the First,
Fifth, Seventh, and Eleventh Circuits apply the broader interpretation. EF Cultural Travel Bv v.
Explorica, 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010);
Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Rodriguez, 628
F.3d 1258 (11th Cir. 2010). Since the plain language of the CFAA indicates that the only
conduct that is clearly covered by the statute is the accessing of a computer “without
authorization,” not “unauthorized use,” and Congress did not explicitly prohibit “unauthorized
use,” Leomund has not violated the “without authorization” provision of the CFAA.
A. The Plain Meaning Of “Without Authorization” Prohibits An Employee From Unlawfully Accessing An Employer’s Computer, Not Unlawfully Using It.
In Miller, Miller was charged with violating the Computer Fraud and Abuse Act
(“CFAA”). Miller, 687 F.3d at 201. Miller worked as Project Director for WEC Carolina Energy
Solutions, Inc. Id. at 202. As an employee of WEC, Miller was given a laptop computer and cell
phone. Id. Miller was authorized to access WEC ‘s intranet and computer servers. Id. WEC
established policies prohibiting employees from using its information without authorization or
18
downloading the information on a personal computer. Id. However, the policy did not restrict
Miller’s authorization to access WEC’s information. Id. Miller resigned from WEC and began
working with Arc Energy Services, Inc., WEC’s competitor. Id. at 201. Prior to his resignation,
Miller is alleged to have downloaded a number of WEC’s confidential information and emailed
them to a personal email address as well as saved them onto a personal computer. Id. at 202.
Additionally, Miller is alleged to have used WEC’s information to obtain a potential WEC
customer for the benefit of Arc. Id. The customer retained Arc’s services. Id. As a result, WEC
alleges that Miller lost all authorization to access WEC’s confidential information when he
downloaded WEC information onto his personal computer. Id.
The court held Miller did not violate the CFAA. Id. at 207. The CFAA is primarily a
criminal statute that was established to combat computer hacking. Id. at 201 (citing iParadigms,
LLC., 562 F.3d at 645). However, the CFAA does not define “authorization.” Miller, 687 F.3d at
204. When interpreting the meaning of a term of a statute, “the plain [meaning] of the [term is to
be analyzed], seeking ‘first and foremost . . . to implement congressional intent.’” Id. at 203
(quoting United States v. Abdelshafi, 592 F.3d 602, 607 (4th Cir. 2010)). The plain meaning of a
term is its “‘ordinary, contemporary, common meaning,’ unless Congress has indicated the term
bears a different meaning. Miller, 687 F.3d at 203-04 (quoting Stephens ex rel. R.E. v. Astrue,
565 F.3d 131, 137 (4th Cir. 2009)). If the statute has both civil and criminal application, the
interpretation of the term is to be applied “uniformly in both contexts.” Miller, 687 F.3d at 204
(citing Leocal v. Ashcroft, 543 U.S. 1, 11 n.8 (2004)). Since the CFAA is a criminal statute, the
terms must be strictly construed in accordance with the rule of lenity, avoiding any
interpretations “not ‘clearly warranted by the text[.]’” Miller, 687 F.3d at 204 (quoting Crandon
v. United States, 494 U.S. 152, 160 (1990)). The plain meaning of “‘authorization’” is “‘formal
19
warrant, or sanction.’” Miller, 687 F.3d at 204 (quoting Oxford English Dictionary (2d ed. 1989;
online version 2012)). The CFAA only covers “unauthorized access of protected computers.” Id.
(emphasis added). The plain meaning of “‘access’” is “‘to gain admission to [something].’”
Miller, 687 F.3d at 204 (quoting Oxford English Dictionary (3d ed. 2011; online version 2012)).
Therefore, based on the plain meanings of “authorization” and “access,” an employee accesses a
computer “without authorization” under the CFAA when “he gains admission to a computer
without approval.” Miller, 687 F.3d at 204 (citing Brekka, 581 F.3d at 1133). It does not extend
to the “improper use of information validly accessed.” Miller, 687 F.3d at 204 (emphasis added).
Since Miller had authorized access to WEC’s intranet and computer servers as well as all of
WEC’s information stored on the servers, he did not violate the “without authorization”
provision of the CFAA. Id. at 207.
In Brekka, Brekka was charged with violating the Computer Fraud and Abuse Act
(“CFAA”). Brekka, 581 F.3d at 1129. Brekka was hired by LVRC to oversee aspects of it’s
residential treatment center for addicted persons. Id. Brekka was to maintaining contact with
LOAD, Inc., a company that provided email, website, and related services for the facility. Id.
Brekka also was responsible for conducting internet marketing programs. Id. While working for
LVRC, Brekka owned and operated two consulting businesses that provided addiction
rehabilitation services and referrals to rehabilitation facilities through the use of internet sites and
advertisements. Id. The owner of LVRC was aware of Brekka’s business. Id. As an employee of
LVRC, Brekka was assigned a computer. Id. However, while commuting to and from his other
businesses, Brekka emailed LVRC documents to his personal computer. Id. at 1129-30. There
was no policy prohibiting employees from emailing LVRC documents to personal computers. Id.
Brekka eventually resigned from LVRC, but continued to access LVRC documents based on the
20
log-in credentials assigned to him by LOAD’s administrator. Id. at 1130. LVRC alleges that
Brekka accessed its computers “without authorization” when he emailed the LVRC documents to
his personal computer. Id. at 1128.
The court held Brekka did not violate the CFAA. Id. at 1137. The CFAA was established
to allow the government to prosecute computer crimes, specifically, computer hackers who
sought to steal information or interrupt the functionality of computer systems. Id. Interpreting the
meaning of “without authorization” requires an analysis of the plain language of the CFAA. Id.
at 1132 (citing United States v. Blixt, 548 F.3d 882, 887 (9th Cir. 2008)). When a statute does
not define a word, it is a “‘fundamental canon of statutory construction’” that the “‘ordinary,
contemporary, [or] common meaning’” of the word be used. Brekka, 581 F.3d at 1133 (quoting
Perrin, 444 U.S. at 42). The CFAA is primarily a criminal statute, and when there is ambiguity in
a criminal statute, it should be resolved “‘in favor of lenity.’” Brekka, 581 F.3d at 1134 (quoting
United States v. Carr, 513 F.3d 1164, 1168 (9th Cir.2008)). When the statute has both criminal
and civil implications, it should be interpreted consistently in both contexts. Brekka, 581 F.3d at
1134 (citing Ashcroft, 543 U.S. at 11 n.8 (2004)). The plain meaning of “authorization” applies
when an individual is “‘authorized’” to access the company’s computer. Brekka, 581 F.3d at
1134 (quoting Webster’s Third International Dictionary, 146 (2002)). Therefore, under the
CFAA, “without authorization” occurs when an employee “accesses a computer without any
permission at all . . . .” Brekka, 581 F.3d at 1134. Additionally, an employee accesses a computer
“without authorization” when his prior authorization to access the computer was rescinded by his
employer, but he uses it anyway. Id. at 1135. Since there was no dispute that Brekka was
authorized to access and use LVRC’s computer, he did not violate the “without authorization”
provision of the CFAA. Id. at 1133.
21
Like the defendants in Miller and Brekka, Leomund was granted access to CDC-Secure
while employed at the CDC. J.A. 14. Although there was a restriction as to the disclosure of the
information contained in CDC-Secure, there was no restriction as to his access of CDC-Secure.
Id. at 14, 28-29. Despite his being transferred to another department, nothing in the record even
suggests Gant had told Leomund that he was restricted as to what he could access on CDC-
Secure. Id. at 14. In both of his positions, Leomund was required to access CDC-Secure. Id.
Additionally, when Leomund received information about the Phyresis pathogen from Edgeworth
after Leomund was fired, Leomund did not access CDC-Secure himself, for that would have
constituted access “without authorization.” Instead, Edgeworth, a current employee of the CDC,
serving in same capacity as Leomund had once served, had accessed CDC-Secure. Id. at 16.
Therefore, under the plain meaning of the CFAA, Leomund never accessed CDC-Secure
“without authorization.”
In JBCHoldings NY, LLC v. Pakter, Pakter was charged with violating the Computer
Fraud and Abuse Act (“CFAA”). JBCHoldings NY, LLC v. Pakter, 931 F. Supp. 2d 514, 519
(S.D.N.Y.2013). Pakter began working with JBCHoldings (“JBC”) after Pakter sold her
company to JBC. Id. at 518. Pakter’s responsibility at JBC was to obtain business for JBC. Id.
Pakter signed an agreement that she would not compete with JBC. Id. However, JBC discovered
that Pakter had been diverting business to another company that she had established. Id. at 518-
19. Additionally, JBC discovered that Pakter had been receiving fees from JBC’s clients and
diverting the funds to her other company. Id. at 518. Furthermore, JBC discovered that Pakter
had been in contact with present and former JBC clients. Id. at 519. JBC alleged that Pakter
accessed the client information without authorization when she used it to benefit her own
business. Id. at 519.
22
The court held Pakter did not access the JBC’s information “without authorization”
because such access to client information was part of her job. Id. at 525. In defining “without
authorization,” the plain meaning of the statute is to be analyzed. Id. at 523. If the statute does
not define a term, that term “must be given its ‘ordinary, contemporary, common meaning.’” Id.
(quoting Perrin, 444 U.S. at 42). As a result, “the common meaning of ‘without authorization’ is
‘without any permission at all.’” Pakter, 931 F. Supp. 2d at 523 (quoting United States v.
Aleynikov, 737 F. Supp. 2d 173, 191 (S.D.N.Y.2010)). Therefore, an employee acts “without
authorization” under the CFAA when “he does so without permission to do so.” Pakter, 931 F.
Supp. 2d at 523. The definition speaks only to access, not use. Id.
B. The Broad Interpretation That “Without Authorization” Includes Violations of Employer Policies Is Contrary To Legislative Intent.
In Int’l Airport Ctrs., LLC v. Citrin, Citrin was charged with violating the Computer and
Fraud Abuse Act (“CFAA”). Int’l Airport Ctrs., LLC. v. Citrin, 440 F.3d 418, 418-19 (7th Cir.
2006). Citrin worked for International Airport Centers (“IAC”), for which he was assigned a
laptop to be used for the recording of data he obtained while working with IAC. Id. at 419. Citrin
resigned from IAC and entered into his own business, which was a violation of his employment
contract with IAC. Id. Before returning his IAC laptop, Citrin deleted all of the data stored on it.
Id. Such data included not only those he had collected while working for IAC, but also data that
would have informed IAC of improper conduct that he had engaged in while working for IAC.
Id. In order to do so, Citrin installed a secure-erase program that prevented the deleted files from
being recovered by IAC. Id. IAC possessed no copies of the deleted data. Id.
The court held Citrin had accessed IAC’s laptop without authorization because he
breached a duty of loyalty to IAC. Id. at 420-21. Citrin’s installing of the secure-erase program
was intended to cause damage to the IAC laptop’s files to the extent that IAC could not recover
23
them. Id. at 419. Citrin’s authority to use the laptop had terminated when he (1) engaged in
misconduct on it, (2) quit IAC in violation of his employment contract, and (3) deleted files that
would have incriminated himself as well as files that rightly belonged to IAC, which was a
violation of his duty of loyalty to IAC. Id.
Allowing “without authorization” to cover violations of employer restrictions “wraps the
intent of the employees and use of the information into the CFAA despite the fact that the statute
narrowly governs access, not use.” Jones, 957 F. Supp. 2d at 619. Requiring the mental intent of
the employees be considered in the analysis would “collapse [the CFAA’s] independent
requirements into a single inquiry . . . .” Brett Senior & Assocs., P.C. v. Fitzgerald, No. 06-1412,
2007 U.S. Dist. LEXIS 50833, at *15 (E.D. Pa. July. 13, 2007). As a result, the CFAA’s primary
objective of punishing conduct that is “tantamount to trespass in a computer” would not longer
be applicable. Clinton Plumbing and Heating of Trenton, Inc. v. Ciaccio, et. al., No. 09-2751,
2010 U.S. Dist. LEXIS 113215, at *18 (E.D. Pa. Oct. 22, 2010).
II. LEOMUND DID NOT VIOLATE THE CFAA BECAUSE APPLYING AGENCY PRINCIPLES TO DETERMINE WHETHER AN EMPLOYEE “EXCEEDS AUTHORIZED ACCESS” FALLS OUTSIDE THE ORIGINAL CONGRESSIONAL INTENT
The Computer Fraud and Abuse Act (“CFAA”) was enacted in order to “address the
growing problem of computer hacking . . . .” United States v. Nosal, 676 F.3d 854, 858 (9th
Cir.2012). The CFAA prohibits a number of crimes relating to computer use, including the
prohibition of any individual who “exceeds authorized access . . . .” 18 U.S.C.A. §1030(a)(2). An
individual “exceeds authorized access [when he gains access to] a computer with authorization to
use such access to obtain or alter information in the computer that the accesser is not entitled so
to obtain or alter.’” Nosal, 676 F.3d at 856. Since the plain language of the CFAA indicates that
the only conduct that is clearly covered by the statute is the employer obtaining information that
24
is outside the bounds of his approved access, Leomund has not violated the “exceeds authorized
access” provision of the CFAA.
A. The Plain Meaning Of “Exceeds Authorized Access” Prohibits An Employee From Obtaining Information That Falls Outside The Bounds Of His Approved Access.
In Nosal, Nosal was charged for violating the Computer Fraud and Abuse Act (“CFAA”).
Nosal, 676 F.3d at 856. Nosal worked for Korn/Ferry, an executive search firm. Id. After leaving
the company, Nosal had other Korn/Ferry employees to send him Korn/Ferry information stored
in a confidential database on the firm’s computer. Id. The employees used their log-in credentials
to download Korn/Ferry information. Id. The employees had authorization to access the
confidential database, but Korn/Ferry prohibited employees from disclosing the confidential
information. Id. It is alleged Nosal aided and abetted the employees in violating the CFAA,
specifically, exceeding the employees’ authorized access to Korn/Ferry’s confidential database.
Id.
The court held that the phrase “exceeds authorized access” is limited only to violations
regarding company restrictions on access to information, not to that information’s use. Id. at 864
(emphasis added). The plain language of the CFAA focuses on the unauthorized access of
information and not its subsequent misuse. Id. at 863.
In Dresser-Rand Co. v. Jones, Jones was charged with violating the Computer Fraud and
Abuse Act. Dresser-Rand Co. v. Jones, 957 F. Supp.2d 610, 611 (E.D. Pa. 2013). Jones was a
manager for Dresser-Rand. Id. Eventually, Jones resigned from Dresser-Rand. Id. However,
prior to his resignation, Jones went to work with Global Power Specialist, Inc. Id. Jones
downloaded Dresser-Rand documents to external hard drives and flash drives. Id. Thousands of
Dresser-Rand documents were discovered to have been transferred from the external devices to
25
Global Power’s computers and accessed from Global Power’s computers. Id. at 612. Jones
emailed some Dresser-Rand business information to Global Power through using Dresser-Rand
computers. Id. An official of Dresser-Rand stated that he did not believe Jones accessed
information other than what he had authorized access to do using their Dresser-Rand user name
and password. Id. Dresser-Rand has a policy that prohibits employees from disclosing company-
sensitive or privileged information. Id. Additionally, employees are prohibited from using
Dresser-Rand’s systems in a way that “‘jeopardizes the integrity of the equipment, violates any
Company policy, or is not in the best interest of the Company.’” Id. By using Dresser-Rand’s
system, Jones consented to the policies. Id. at 613. Dresser-Rand is alleged to have exceeded his
authorized excess to Dresser-Rand’s computers by downloading Dresser-Rand files to flash
drives and external hard drives to benefit Global Power. Id. at 614.
The court held Jones had not exceeded his authorized access to Dresser-Rand’s
computers and, therefore, did not violate the CFAA. Id. at 619. Dresser-Rand’s policies only
governed use, not access. Id. at 620. The CFAA governs only unauthorized computer access, not
file access. Id. at 621. Jones accessed the downloaded documents from his Dresser-Rand
computer and stored them on external storage devices, while employed at Dresser-Rand. Id. at
620. He had a user name and password to access the Dresser-Rand network as well as the
laptops and external hard drives. Id. There were no limitations as to Jones’ ability to copy
documents from the information he had authorized access to access. Id. Since he was authorized
to access his work laptop and download files from it, he was not liable under the CFAA, despite
the fact that he misused the information afterwards. Id. The Computer Fraud and Abuse Act
(“CFAA”) prohibits accessing computers in a manner in excess of what he has been authorized
and obtaining information or damaging computer data. Id. at 613 (citing 18 U.S.C. § 1030(a)).
26
Violating the CFAA exposes an individual to both civil and criminal liability. Jones, 957 F.
Supp. 2d at 613. The CFAA’s original purpose was to provide a legal remedy to those victimized
by computer hackers. Id. An individual has exceeded authorized access under the CFAA when
he obtains or alters information to which he is not entitled. Id. at 614. However, the CFAA does
not define “authorization,” which requires courts to “wrestle with the breadth of its meaning . . .
.” Id. at 615.
In Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Matsuda, Werner-Matsuda
was charged with violating the Computer Fraud and Abuse Act (“CFAA”). Int'l Ass'n of
Machinists & Aerospace Workers v. Werner-Matsuda, 390 F. Supp. 2d 479, 484 (D. Md. 2005).
Werner-Matsuda served as International Association of Machinists & Aerospace Workers’
(“IAM”) Secretary-Treasurer of a lodge IAM owned. Id. at 483. As an employee of IAM,
Werner-Matsuda had access to IAM’s secured website which contained IAM’s confidential
membership list. Id. Werner-Matsuda signed an agreement not to use confidential information
located on the secure website that was contrary to IAM’s Constitution. Id. However, Werner-
Matsuda had accessed the confidential information and used it to help another company seeking
to challenge IAM in the union business. Id. IAM alleges Werner-Matsuda “exceeded her
authorization” by violating the agreement she signed before working with IAM. Id. at 495.
The court held that Werner-Matsuda did not exceed her access. Id. at 499. The court
acknowledged that there is a distinction between mere use and authorization to access
information and that the plain language of the statute necessitated their holding, because the
CFAA does not prohibit unauthorized use of information. Id. at 499. The court pointed to
legislative history, the fact that the CFAA is generally seen as a criminal statute and thus should
be construed narrowly, and persuasive case law to come to its ultimate conclusion. Id. at 499.
27
Like the defendants in Nosal, Jones, and Werner-Matsuda, Leomund did not exceed his
authorize access. There is no dispute that when Leomund accessed CDC-Secure himself, he was
authorized to so as part of his job as the Assistant Content Director/Disease Projection Analyst in
the Public Records Division of the CDC. J.A. 13-14. Additionally, even after Gant transferred
Leomund to the department that analyzed the Alzheimer’s disease in American citizens, he still
had authorization to access CDC-Secure. Id. at 14. Furthermore, after Leomund was terminated,
he never gained access to CDC-Secure himself, but obtained the information from Edgeworth, a
Topography Specialist of the CDC. Id. at 16.
B. Applying A Broader Interpretation Of “Exceeds Authorized Access” Using Agency Principles Has Far-Reaching Effects Not Intended By Congress.
In EF Cultural Travel Bv v. Explorica, Explorica is charged with violating the Computer
Fraud and Abuse Act (“CFAA”). EF Cultural Travel Bv v. Explorica, 274 F.3d 577, 578 (1st Cir.
2001). Former employees of EF, one of the world’s largest private student travel organizations,
joined Explorica, a company competing in a field of global tours for high school students. Id. at
579. Gormley, former Vice President of Information at EF, now Vice President of Explorica,
believed that, by undercutting EF’s competitive prices on student tours, Explorica could achieve
a substantial advantage over EF and other student tour companies. Id. In order to obtain the
information of EF’s prices, Gormley retained Zefer, Explorica’s Internet consultant to create a
internet computer program that would obtain all the necessary information from EF’s website.
Id. The program focused solely on EF’s website using information that other programs like it
would not have in its possession. Id. Using tour codes, the program easily obtained numerous
amounts of pricing information from EF’s website and inserted them into a spreadsheet. Id. at
579-80. The spreadsheets were then sent to Explorica, which then used the information to
28
undercut EF’s prices. Id. at 580. Explorica then began printing brochures and competing in the
tour market in which EF was participating. Id.
The court found that Explorica and its employees had violated the “exceeded authorized
access,” provision of the CFAA. Id. at 583. While employed at EF, Gormley had signed a
confidentiality agreement. Id. at 582. The agreement prohibited Gormley from disclosing any
confidential information of EF to a third party. Id. Additionally, the agreement prohibited
Gormley from using EF’s confidential information for his own benefit or for the benefit of
another person or business. Id. The agreement defined such information as any information that
“the use or disclosure of which might reasonably be construed to be contrary to the interests of
EF.” Id. Gormley had used some of the information he obtained as an employee at EF and
communicated it to Zefer in order to create the program that obtained EF’s pricing information to
compete with EF in the marketplace. Id. at 582-83. However, the court indicated that by holding
Explorica and its employees had exceeded authorized use, they did not go into the “general
arguments made about statutory meaning, including whether use of [the program] alone renders
access unauthorized.” Id. at 581-82.
In United States v. Rodriguez, Rodriguez was charged with violating the Computer Fraud
and Abuse Act (“CFAA”). United States v. Rodriguez, 628 F.3d 1258, 1260 (11th Cir. 2010).
Rodriguez worked as a representative for the Social Security Administration (“SSA”). Id. His
responsibilities was to answer questions from the general public about social security benefits
over the telephone. Id. As an representative, Rodriguez had access to the SSA’s databases that
contained sensitive personal information. Id. The SSA established a policy that prohibited
Rodriguez from obtaining SSA database information without a business reason. Id. Rodriguez
had accessed the personal information of a number of individuals for nonbusiness reasons. Id. at
29
1260-1262. The SSA alleges Rodriguez had exceeded his authorized access to the database. Id.
at 1260.
The court held Rodriguez had exceeded his authorized access to the SSA’s database. Id.
at 1263. Rodriguez conceded that he accessed information that was unauthorized. Id. The SSA
had informed Rodriguez that he could not obtain personal information for nonbusiness reasons.
Id. The court used the “plain language” of the CFAA to come to its decision. Id. at 1263-64.
In United States v. John, John was charged with violating the Computer Fraud and Abuse
Act (“CFAA”). United States v. John, 597 F.3d 263, 270 (5th Cir. 2010). John worked as an
account manager at Citigroup. Id. at 269. As an employee of Citigroup, John had access to
Citigroup’s internal computer system and customer account information. Id. John gave her half-
brother multiple customer account information so that he and others could incur fraudulent
charges. Id. at 269.
The court held John had exceeded her authorized access. Id. Citigroup’s policies
specifically prohibited the misuse of the company’s internal computer systems and confidential
customer information. Id. at 272. Despite those policies, John accessed customer information and
account information that she did not manage and used the highly sensitive and confidential
information to perpetuate fraud on Citigroup and its customers. Id.
Applying the the broad interpretations applied in Explorica, Rodriguez, and John in
holding the respective defendants had violated the CFAA by violating employer restrictions will
result in far-reaching effects that Congress did not intend. The broad interpretation “bases
authorization on the whim of the employee at the given moment he or she uses a computer.”
Jones, 957 F. Supp.2d at 618-19. Additionally, an employee’s liability under the CFAA would
unlikely be altered merely because the employee’s mental state shifts from “‘loyal employee’” to
30
“‘disloyal competitor.’” LVRC Holdings, LLC. v. Brekka, 581 F.3d 1127, 1134 (9th Cir. 2009).
Furthermore, it would “criminalize a broad range of day-to-day activity” and subject individuals
to the “risk of arbitrary or discriminatory prosecution and conviction.” Nosal 676 F.3d at 862
(citing United States v. Kozminski, 487 U.S. 931, 949 (1988)). Its application could be applied to
an employee who logs onto Facebook or checks sports scores, resulting in a termination of the
agency relationship. WEC Carolina Energy Solutions, LLC. v. Miller, 687 F.3d 199, 206 (4th
Cir. 2012). The CFAA fails to even mention agency or loyalty principles. Jones, 957 F. Supp. 2d
at 619.
The effect of the broad interpretation would be detrimental because courts would be
required to decipher the moments in which a single employee’s interests weave in and out of
alignment with the employer. The CFAA specifically differentiates authorization language
between accessing a computer without authority or exceeding initially permitted access. Such
broad interpretations would allow for removal of all distinctions between “without authorization”
and “exceeds authorization.” Therefore, the broad interpretation should not be applied.
III. THE AGGREGATE USE OF THE POLE CAMERA, LICENSE PLATE SCANNER, AND QUADROCOPTER DRONE WAS AN UNREASONABLE SEARCH UNDER THE FOURTH AMENDMENT BECAUSE THE INFORMATION OBTAINED AS A WHOLE VIOLATED LEOMUND’S REASONABLE EXPECTATION OF PRIVACY
The Fourth Amendment of the United States Constitution prohibits the government from
conducting unreasonable searches and seizures of individuals and their property. U.S. CONST.
amend. IV. An unreasonable search occurs when the government violates an individual’s
reasonable expectation of privacy. United States v. Jones, 132 S.Ct. 945, 951 (2012). An
individual’s expectation of privacy is reasonable if society is prepared to recognize it as
reasonable. Kyllo v. United States, 533 U.S. 27, 34 (2001); Katz v. United States, 389 U.S. 347,
31
361 (1967) (Harlan, J., concurring). When the government search involves surveillance through
technology, and not physical trespass, such search is subject to the reasonable expectation of
privacy analysis. Jones, 132 S. Ct. at 953 (2012). Therefore, because the extended surveillance of
Leomund violated his reasonable expectation of privacy, the surveillances, as a whole, was an
unreasonable search under the Fourth Amendment.
A. The Advancement Of Modern Technology Requires The Adoption Of The Mosaic Approach To The Reasonable Expectation Of Privacy Analysis.
In Jones, Jones was charged with conspiracy to distribute and possess with intent to
distribute cocaine. Jones, 132 S.Ct. at 948. In order to obtain evidence against Jones, officers
obtained a warrant to install a Global Positioning System (“GPS”) tracking device on his vehicle
in the District of Columbia for 10 days. Id. However, the officers installed the device on the 11th
day in Maryland. Id. The officers used the device to track the vehicle’s movements over the next
28 days. Id. The information obtained relayed more than 2,000 pages of data over a 4-week
period. Id.
The Court held there was a “search” under the Fourth Amendment because the
installation of the GPS was a physical intrusion, and, therefore, the Katz analysis did not need to
be applied. Id. at 949-50. However, the Court acknowledged that when a particular case involves
the transmission of electronic signals without a physical trespass involved, that case is subject to
the Katz analysis. Id. at 953. The Court left open the question of whether an extended
surveillance of an individual solely through electronic means would constitute a violation of the
Fourth Amendment. Id. at 953-54. It is to this question that Justices Alito and Sotomayor provide
some guidance. Id. at 954-57 (Sotomayor, J., concurring); Id. at 963-64 (Alito, J., concurring).
The Fourth Amendment must “cease to treat secrecy as a prerequisite for privacy.” Id. at
957. (Sotomayor, J., concurring). In today’s society, technology, including the GPS, reveals so
32
much information about an individual that, if aggregated, the government could determine an
individual’s “familial, political, professional, religious, and sexual associations.” Id. at 955
(citing New York v. Weaver, 909 N.E.2d 1195, 1199 (N.Y. 2009)). However, while some people
may accept the “increased convenience or security” that the technology may provide “at the
expense of privacy,” others may come to understand that such a development is “inevitable[,]”
and, therefore, accept the “tradeoff.” Jones, 132 S.Ct. at 962 (Alito, J., concurring). The
emergence of new technology “will continue to shape the average person’s expectations about
the privacy of his or her daily movements.” Id. at 963. The prolonged use of a GPS to monitor
and investigate an individual “[for] most offenses impinges on expectations of privacy.” Id. at
964. Society would expect that the government would not and could not “secretly monitor and
catalogue every single movement of an individual’s car for a very long period.” Id. The use of
the GPS to track Jones’ every move for four weeks constitutes a “search” under the Fourth
Amendment. Id.
In Weaver, Weaver was convicted of burglarizing a K-Mart Store. Weaver, 909 N.E.2d at
1195. Police officers attached a global positioning system (GPS) to the bumper of Weaver’s van.
Id. The GPS worked in conjunction with numerous satellites, from which received tracking data,
to fix the location of Weaver’s van. Id. The GPS indicated the van’s speed and pinpointed its
location within 30 feet. Id. The GPS readings indicated the speed and location of Weaver’s van
approximately every minute while the van was in motion. Id. The readings were less often when
the van was stationary. Id. In order for the police officers to download the GPS information, they
would drive by Weaver’s van and press a button on a unit in their possession. Id. Upon the press
of the button, the tracking history was transmitted to and saved by a computer in the officer’s
vehicle. Id. The GPS was used for 65 days. Id. The GPS indicated that Weaver had been around
33
the store’s location around 7:26 traveling at a speed of six miles per hour. Id. The prosecution
had the GPS readings admitted at trial against Weaver. Id.
The court held that such a “dragnet use” of the GPS to track Weaver for 65 days was “not
consistent with the values at the core of [the New York] Constitution’s prohibition against
unreasonable searches.” Id. at 1203. Using the GPS to monitor an individual for extended
periods of time reveals “with breathtaking quality and quantity . . . a highly detailed profile, not
simply of where [the individual] go[es], but by easy inference, of [the individual’s]
associations—political, religious, amicable and amorous, to name only a few—and of the pattern
of [the individual’s] professional and avocational pursuits.” Id. at 1199-1200. The sorts of
information revealed by the GPS include trips that are “indisputably private [in] nature of which
takes little imagination to conjure . . . .” Id. at 1199. With such technology at the government’s
disposal, “[t]he whole of a person’s progress through the world, into both public and private
spatial spheres, can be charted and recorded over lengthy periods . . . .” Id. Now, prolonged
tracking is “not merely possible[,] but entirely practicable . . . .” Id.
The extended surveillance of Leomund is the manifestation of the concerns of
concurrences in Jones, and the majority in Weaver. Officers were able to learn a great deal about
Leomund that, when considered as a whole, reveals so much about his character that it infringes
on his expectation of privacy. First, federal law enforcement officers set up a telephone pole
camera outside of Leomund’s property. J.A. 15. For five (5) days, the officers received
uninterrupted video of everything that occurred on Leomund’s property. Id. On two separate
occasions, they were able to observe pizza delivered to Leomund’s residence. Id. On a single
occasion, they observed Chinese food being delivered to Leomund’s residence. Id. On three
separate occasions, they observed FedEx delivering packages to Leomund’s residence. Id.
34
During those five (5) days, based on these observations, they could tell Leomund had a taste for
pizza and Chinese food. Additionally, they could tell that he had either purchased something or
had something purchased for him because of the FedEx deliveries. Neither of these observations
give any indication that Leomund had anything to do with the leaked information about the
Phyresis pathogen. After the five-day video footage turned up unsuccessful, officers decided to
use license plate scanners to indicate when Leomund had passed their vehicles. Id. For ten (10)
days, officers received notifications anytime Leomund was traveling somewhere and where he
was going at that particular time. Id. On two separate occasions, officers were notified that
Leomund was at a local grocery store. Id. On a single occasion, officers were notified that
Leomund was at a urologist’s office. Id. On two separate occasions, officers were notified that
Leomund was at a psychiatrist’s office. Id. On a single occasion, officers were notified that
Leomund was at a restaurant. Id. On three separate occasions, officers were notified that
Leomund was at a gentlemen’s club in surrounding towns. Id. On three separate occasions,
officers were notified that Leomund was driving on state roadways, one of which was near his
residence. Id. During those ten (10) days, officers learned that Leomund needed groceries, had
physical and mental issues, was hungry, and possibly needed sexual stimulation. Neither of these
observations give any indication that Leomund had anything to do with the leaked information
about the Phyresis pathogen. Instead, these observations revealed unquestionably private details
of Leomund’s life. Third, Officer Armando was sent to Leomund’s residence to monitor the area
and remain there to report anything unusual. Id. One (1) day later, Officer Armando observed a
Black Sedan that was not registered to Leomund enter onto Leomund’s property. Id. at 16. Based
on Officer Armando’s observations, federal agents dispatched an unmanned quadrocopter drone
to Leomund’s property. Id. It was equipped with a digital camera that transmitted live video. Id.
35
It was used for twenty (20) minutes and surveyed the area at an altitude of 400 feet. Id. Using the
cameras “zoom in” capabilities, the officers were able to see Leomund and Edgeworth using the
CDC’s disease maps. Id. It was not until this point that the officers had something indicating
Leomund has something to do with the leaks and that they decided to obtain a warrant. Id. In
total, officers monitored Leomund for sixteen (16) days and twenty minutes (20) without a
warrant. Allowing that amount of extended surveillance, only to have something relevant on day
16, is a clear violation of Leomund’s expectation of privacy that society would consider
reasonable.
B. The Supreme Court’s Previous Technology-Based Decisions Do Not Apply Because The Pole Camera, License Plate Scanners, and Quadrocopter Drone Revealed Far More Information Than The Technology At Issue In Those Cases
In United States v. Knotts, Knotts, Armstrong, and Petschen were charged with
conspiracy to manufacture controlled substances. United States v. Knotts, 460 U.S. 276, 277
(1983). 3M, Co., a chemical manufacturer had contacted narcotics investigators that Armstrong,
a former employee had been stealing chemicals which could be used to manufacture illicit drugs.
Id. at 278. Visual surveillance revealed Armstrong would steal the chemicals and purchase
chemicals from Hawkins Chemical Co., another chemical manufacture. Id. Armstrong delivered
those chemicals to Petschen. Id. With the consent of Hawkins Chemical, narcotics investigators
installed a beeper inside a container of chloroform, a chemical used to manufacture the illicit
drugs. Id. Hawkins Chemical agreed to sell that particular container to Armstrong. Id. When
Armstrong purchased the container, he placed it in his vehicle and drove to another location. Id.
The investigators followed Armstrong’s car by maintaining contact through the use of visual
surveillance and a monitor receiving the signals from the beeper. Id. Armstrong delivered the
container to Petschen at Petschen’s home. Id. Petschen took the container, placed it in his
36
vehicle, and drove to another location. Id. The investigators followed Petschen, who began
taking evasive measures, causing investigators to lose visual surveillance. Id. However, the
investigators were able to obtain a signal from the beeper, indicating its location at Knotts’ cabin.
Id. Investigators obtained a search warrant for Knotts’ cabin, where they discovered drug
laboratory equipment, drug chemicals, and the chloroform container. Id. at 279.
The Court held the installation of the beeper was not a “search” under the Fourth
Amendment. Id. at 285. The surveillance conducted by the investigators through the use of the
beeper was principally the following of an automobile on public roads. Id. at 281. An individual
has a “lesser expectation of privacy” when he uses an automobile on public roads. Id. (quoting
Cardwell v. Lewis, 417 U.S. 583, 590 (1974) (plurality opinion)). By traveling on public roads,
Petschen’s direction of travel and destination were “conveyed to anyone who wanted to look . . .
.” Knotts, 460 U.S. at 281-82. Additionally, although Knotts had an expectation of privacy in
activity that occurred in his cabin, he had no reasonable expectation of privacy “to the visual
observation of Petschen’s automobile arriving on his premises after leaving a public highway,
nor to movements of objects such as the drum of chloroform outside the cabin in the ‘open
fields.’” Id. at 282 (quoting Hester v. United States, 265 U.S. 57 (1924)). Visual surveillance
from public areas would have revealed all of the information that the beeper revealed. Knotts,
460 U.S. at 282. However, the court limited their holding to the brief surveillance that occurred
in the facts before it. Knotts argued that the Court’s holding would permit longer surveillance
without judicial approval. Id. at 283-84. rejecting the argument, the Court reasoned that “the
‘reality hardly suggests abuse,’ . . . [for] if such dragnet-type law enforcement practices as
[Knotts] envisions should eventually occur, there will be time enough then to determine whether
37
different constitutional principles may be applicable. Id. at 283-84 (quoting Zurcher v. Standford
Daily, 436 U.S. 547, 566 (1978)).
In California v. Ciraolo, Ciraolo was charged with the cultivation of marijuana.
California v. Ciraolo, 476 U.S. 207, 210 (1986). Police officers received an anonymous tip that
Ciraolo was growing marijuana in his backyard. Id. at 209. When the officers went to
investigate, they were unable to observe what was going on in Ciraolo’s backyard from ground
level because there was a 6-foot outer fence and a 10-foot inner fence completely enclosing the
yard. Id. Officers obtained a private plane and flew over Ciraolo’s house from 1,000 feet in the
area. Id. The officers were able to identify the marijuana plants from the plane and took a picture
of the area with a standard 35mm camera. Id. Based on the tip and the observations, officers
obtained a search warrant and seized the marijuana. Id. at 209-10.
The Court held Ciraolo had no reasonable expectation of privacy in his yard when the
officers observed the marijuana from navigable airspace. Id. at 214-15. Although Ciraolo’s yard
was a party of the curtilage of his home, that itself does not bar all police observations. Id. at
213. Additionally, Ciraolo’s attempts to prevent his activity from being seen does not prohibit
police observations from areas where they “a right to be and which renders the activities clearly
visible.” Id. (citing Knotts, 460 U.S. at 282). The Fourth Amendment does not protect the
activities an individual knows has been exposed to the public. Ciraolo, 476 U.S. at 213 (quoting
Katz, 389 U.S. at 347).
In Florida v. Riley, Riley was charged with possession of marijuana. Florida v. Riley, 488
U.S. 445, 449 (1989). The Sheriff’s office received an anonymous tip that Riley was growing
marijuana in a greenhouse on his property. Id. at 448. When an officer sought to investigate
Riley’s property, he was unable to see the contents of Riley’s greenhouse from the road because
38
of the surrounding trees, shrubs, and Riley’s motor home. Id. Additionally, Riley’s greenhouse
was covered by roofing panels. Id. The officer obtained a helicopter and flew above Riley’s
property at the height of 400 feet. Id. While flying in the air, the officer noticed the greenhouse
had two roof panels, approximately 10 percent of the roofing area, missing. Id. Using his naked
eye, the officer could see through the opening of the roof and identify what he believed to be
marijuana growing inside of it. Id. The officer obtained a warrant based on his observations and
searched the greenhouse, which indeed contained marijuana. Id. at 449.
Using the rationale of California v. Ciraolo, the Court held that Riley had no expectation
of privacy when the officer observed the marijuana from navigable airspace. Id. at 450-51. The
marijuana was viewable from the air as a result of the missing roof panels. Id. at 450. Since
private and commercial flights are routine in the United States, and that such flights were not
unheard of where Riley resided, he had no expectation of privacy when anyone from the public
could observe from the navigable airspace the marijuana he was growing. Id. at 450-51. The
helicopter was flying within the bounds of the law and navigable airspace. Id. at 451.
Additionally, no intimate details of the home or curtilage had been observed by the officer. Id. at
452.
The “dragnet-type” of surveillance the Court noted in Knotts has occurred in Leomund’s
case. Unlike the surveillances in Knotts, Ciraolo, and Riley, the surveillance of Leomund by
federal officers lasted extended far beyond a single destination and beyond a single day. Officers
monitored Leomund for sixteen (16) days, observing Leomund going to several different
locations, all of which did not implicate he had anything to do with leaking the information about
the Phyresis pathogen. Additionally, the surveillance in Knotts did not reveal private details of
the defendant’s life. The sixteen (16) day surveillance revealed a number of private details of
39
Leomund’s life, from visiting a urologist and psychiatrist’s office, to attending a gentlemen’s
club. Id. at 15. It was not until day sixteen that federal officers had specific evidence that
Leomund had anything to do with the leak of the Phyresis pathogen. Prior to that time,
Leomund’s private affairs became known to the federal officers, all of which were irrelevant to
the access of CDC-Secure.
CONCLUSION Therefore, because Leomund did not access CDC-Secure “without authorization,” and
did not “exceed [his] authorized access” under the plain meaning of the term “authorization,”
Leomund did not violate the CFAA. Additionally, because the aggregate use of the pole camera,
license plate scanner, and quadrocopter drone violated Leomund’s reasonable expectation of
privacy, an unreasonable search has occurred, in violation of the Fourth Amendment. We
respectfully request that this Court reverse the the holding of the United States Court of Appeals
for the Fourteenth Circuit.
