Unauthorized Entry

Fundamentals of Criminal Law by Adam J. McKee

Unauthorized entry, often referred to as hacking or unlawful access, involves gaining access to a computer system, network, or data without permission. This type of crime is not limited to traditional notions of physical trespass but instead involves the virtual invasion of digital spaces, where data and sensitive information are stored. The growth of the internet and the increasing reliance on technology have expanded the scope of unauthorized entry, making it a significant area of concern in criminal law. Both federal and state laws have been developed to address the various forms of unauthorized access, imposing penalties on individuals who breach secure systems or networks.

In prosecuting cases of unauthorized entry, the general elements of criminal law—actus reus and mens rea—remain central. For unauthorized entry crimes, actus reus is usually the act of accessing a computer system without proper authorization. This can occur by bypassing security measures, exploiting vulnerabilities in the system, or using false credentials. Mens rea, the mental element, often requires proof that the offender acted with the intent to access the system unlawfully, either to steal data, damage the system, or otherwise engage in criminal activity. However, in some cases, even negligent or reckless unauthorized access can be punishable, particularly under strict liability provisions.

Federal Statutes Governing Unauthorized Entry

The Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030, is the primary federal law used to prosecute unauthorized entry offenses. Originally enacted in 1986, the CFAA has been amended several times to address the growing scope of cybercrime. The law criminalizes a broad range of activities, including accessing a computer without authorization, exceeding authorized access, and intentionally causing damage to a computer system.

Section 1030(a)(2) of the CFAA specifically prohibits obtaining information from any protected computer without authorization. A “protected computer” is broadly defined and includes not only government and financial institution computers but also any computer used in interstate or foreign commerce—essentially covering most computers connected to the internet. Section 1030(a)(5) addresses more severe offenses, making it a crime to knowingly cause damage to a protected computer, such as through the introduction of malware or other malicious software.

In addition to federal law, many states have enacted their own statutes to address unauthorized entry, particularly for offenses that occur solely within the state’s borders. For instance, New York’s Penal Law Section 156.05 criminalizes unauthorized use of a computer, while California’s Comprehensive Computer Data Access and Fraud Act (Penal Code Section 502) similarly prohibits unlawful access to computers, networks, and data within the state. These laws often parallel the provisions of the CFAA but are applied at the state level when federal jurisdiction is not invoked.

Hacking as Unauthorized Entry

Hacking is the most commonly recognized form of unauthorized entry. It involves gaining unauthorized access to a computer or network by bypassing security systems, exploiting software vulnerabilities, or using fraudulent credentials to gain access. Hackers may target private companies, government agencies, or even individuals, seeking to steal data, disrupt operations, or cause reputational damage.

Under the CFAA, hacking is clearly criminalized, and courts have consistently ruled that bypassing security measures, even in cases where no harm is immediately caused, satisfies the actus reus requirement for unauthorized entry. For example, in U.S. v. Nosal (2012), the defendant, a former employee of an executive search firm, used the credentials of current employees to access a company database after his termination. The Ninth Circuit ruled that using someone else’s credentials without permission constituted a violation of the CFAA, even though Nosal was not personally authorized to access the system.

The mens rea in hacking cases typically requires a showing of intent. Prosecutors must prove that the defendant knowingly accessed a computer without authorization or exceeded authorized access. In cases like Nosal, intent was demonstrated through the defendant’s deliberate use of false credentials to access a system from which he had been barred. However, courts have occasionally grappled with the definition of “unauthorized access” and whether violations of terms of service or workplace policies constitute criminal behavior under the CFAA. In some cases, the courts have required more than just a technical breach of access rules to meet the legal definition of hacking.

“Exceeding Authorized Access” and the CFAA

Another common scenario in unauthorized entry cases involves individuals who are authorized to access certain parts of a computer system but exceed their permissions to access restricted information. The CFAA’s provision on “exceeding authorized access” (18 U.S.C. § 1030(a)(2)) has been the subject of significant legal debate. In these cases, individuals are not complete outsiders or hackers in the traditional sense, but insiders who misuse their legitimate access to perform unauthorized actions.

A key example of this issue arose in Van Buren v. United States (2021), a U.S. Supreme Court case. Nathan Van Buren, a former police officer, used his authorized access to a law enforcement database to retrieve information in exchange for money. The court ultimately ruled that Van Buren did not violate the CFAA because he had legitimate access to the database, and his actions did not constitute “exceeding authorized access” under the law. The decision narrowed the interpretation of the CFAA, holding that merely violating workplace policies or terms of service does not automatically lead to a criminal violation if the user had legitimate access to the system in question.

This ruling has significant implications for future unauthorized entry cases, especially those involving employees who misuse their access. The court clarified that exceeding authorized access must involve obtaining information that the individual was not entitled to access in the first place, not merely using information in an unauthorized manner.

Unauthorized Access for the Purpose of Data Theft

Unauthorized entry is frequently a precursor to more serious offenses, such as data theft. In these cases, offenders gain unauthorized access to computer systems to steal sensitive information, including trade secrets, customer data, or intellectual property. Data theft is often carried out by insiders—employees or contractors who have legitimate access to a company’s systems but use that access to steal valuable information.

Federal law provides specific protections against data theft in the form of the Economic Espionage Act (EEA), codified at 18 U.S.C. § 1832. This law makes it a federal crime to steal or misappropriate trade secrets through unauthorized access or other unlawful means. The EEA often works in conjunction with the CFAA in cases involving corporate espionage, where offenders gain access to computer systems to steal proprietary information for commercial advantage.

A prominent case involving both unauthorized access and data theft is United States v. Aleynikov (2012). Sergey Aleynikov, a former Goldman Sachs employee, was convicted under the EEA for downloading source code from the company’s proprietary high-frequency trading system to a personal server. Although Aleynikov had authorized access to the system during his employment, his act of transferring the data to an external source without permission was considered both unauthorized access under the CFAA and data theft under the EEA. The case highlighted the intersection of insider threats and unauthorized entry, where employees abuse their access to commit crimes.

Criminal Intent and Unauthorized Entry

As with most crimes, proving mens rea is essential in prosecuting unauthorized entry cases. For most unauthorized access offenses, prosecutors must demonstrate that the defendant knowingly accessed the system without authorization or intentionally exceeded the scope of their access. The CFAA, in particular, requires knowledge or intent for most of its provisions, although certain sections impose liability for reckless or negligent actions that cause damage to computer systems.

In some cases, the defendant’s intent may be to cause financial harm, steal data, or sabotage a system. In other cases, the intent may be less malicious but still unlawful, such as when an individual accesses a system out of curiosity or to prove a point, as in many cases of so-called “ethical hacking.” However, even when no financial or physical damage results from the unauthorized entry, courts have generally held that the mere act of unauthorized access fulfills the requirement for a criminal charge under the CFAA.

Conclusion

Unauthorized entry into computer systems, whether through hacking, exceeding authorized access, or insider threats, poses significant risks to individuals, businesses, and governments. Federal and state laws, particularly the CFAA, provide robust legal frameworks to prosecute these crimes. Courts must carefully balance the actus reus and mens rea elements to distinguish between negligent or inadvertent access and willful, malicious behavior. As technology continues to evolve, legal interpretations of unauthorized entry will likely continue to develop, shaping the future of computer crime enforcement.


Key Terms

 


References and Further Reading

 

 

Modification History

File Created:  07/17/2018

Last Modified:  10/21/2024

[ Back | Content | Next]


This work is licensed under an Open Educational Resource-Quality Master Source (OER-QMS) License.

Open Education Resource--Quality Master Source License

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.