Now the debate with Orin is actually getting somewhere. Sort of. Orin has posted a further reply. Here’s a scorecard:
1. Does authorization depend exclusively on ownership?
Orin’s latest post does a good job of showing that the CFAA often draws a coherent distinction between rights in data and rights in a computer, and that rights in the computer are the statute’s principal focus. I don’t disagree.
Where we differ is how much that matters. Orin seems convinced that this distinction makes rights in data irrelevant to the question of what constitutes authorized access to a computer. He doesn’t really offer a reason for treating it as irrelevant. He just assumes it must be, probably because he also assumes that authorization is an all or nothing concept, so that if the owner has authorization no one else has any, and vice versa.
But Orin's assumption has no basis in the statute that I can see. As my last post says, that’s like assuming that because a trespass statute protects the owners of land, everyone else must be punished as a trespasser, no matter what other rights they have to enter the property. That would make felons of rescuers, people in hot pursuit of thieves, easement holders, and government officials. You could come to that conclusion if that’s what the law unequivocally said, but in this case the law only makes felons of people who are not authorized (or not entitled) to access the computer.
So why would we ignore other claims of entitlement – especially when ignoring those claims makes a felon of someone performing an act with undeniable social value?
Orin’s reluctance to defend his assumption is striking. Maybe he's got a good response; but he hasn't offered it yet.
2. Should policy influence the interpretation of "authorization"?
Orin continues to look down his nose at the introduction of policy into the interpretation of this central but undefined term. He thinks I’m requesting a new statute. In fact I’m asking the courts to recognize a perfectly plausible reading of “authorization,” in a criminal context where ambiguity would ordinarily be resolved in favor of the defendant.
I agree with Orin that this interpretation requires the courts to decide which entitlements should be recognized and which should not. He thinks that's a role for Congress, not the courts, an argument that might be more persuasive in discussing a civil statute, or a criminal statute that was not deterring companies from responding aggressively to a dangerous intelligence attack on our economy and our society.
That said, I welcome Orin’s acknowledgement that maybe Congress should permit counterhacking in some circumstances. Though I fear the CCIPS Old Guard lives on in his heart, and that somehow no actual amendment will ever quite pass muster there.
3. Is necessity a defense for counterhacking?
Orin suggests that a federal criminal necessity defense might be more apt in this case. Maybe so, but he acknowledges that it is at best controversial. At worst, in fact, it doesn’t exist . So, while I won’t spurn even a modest agreement with Orin, the chance to prove an affirmative defense that may not apply isn't likely to offer much comfort for companies that want to gather information about their attackers.
I don’t want to prolong this debate for readers who have lost interest, so I won’t be making any further posts. If you want to follow it further, check the Volokh Conspiracy for a continuation of the debate in the comments to my post or to Orin Kerr's last post.