7th Circuit Applies Computer Hacking Statute to Use of Trace Removers on Employee Laptops

March 8, 2006. The U.S. Court of Appeals (7thCir) issued its opinion [7 pages in PDF] in International Airport Centers v. Citrin, a post-employment dispute that also involves application of the Computer Fraud and Abuse Act to employees' use of trace remover tools on the laptops assigned to them by their employers.

The opinion states that an employee of a company who is provided a laptop computer by that company, and who uses a trace remover tool on that laptop, might be sued civilly, or prosecuted criminally, for that act, even if there is no employment contract or company policy that prohibits the use of trace remover programs.

Background. This opinion pertains to trace remover programs and tools. The opinion uses the term "secure-erasure program". They are also sometimes referred to as "disk wipe". See, for example, PC Magazine's May 4, 2005, review of seven products, that among other things, "securely overwrite and erase files and folders".

See also, PC Magazine's April 20, 2004, article by Jay Munro titled "Wipe Data From Old PC's For Good". It states that "When Windows deletes a file, it doesn't delete the data, only removes the file name from the directory tables. With readily available tools, a savvy user can view the hard drive, undelete and ferret out information you thought was gone." The article goes on to explain how to wipe data manually. It also references several tools for purchase.

These tools have many security and privacy benefits. They are frequently used by individuals, corporations and government agencies before a computer, or storage media, is sold or transferred to another user, to prevent subsequent owners or users from accessing confidential files of the previous user. They are used to limit the loss of confidential data in the event that a computer is stolen or improperly accessed by a third party. They also are used to protect the privacy of the user. For example, they can be used to prevent third parties from accessing the computer to learn what health information websites the user has visited, and what materials the user has downloaded. (They can also be used to remove traces of visits to porn web sites.)

The opinion states that the lead plaintiff, International Airport Centers (IAC), is "engaged in the real estate business", and that the defendant is a former employee named Jacob Citrin. The opinion states that IAC filed a complaint in U.S. District Court (NDIll). However, the opinion does not identify what causes of action IAC pled. Although, it states that IAC pled violation of the Computer Fraud and Abuse Act, which is codified at 18 U.S.C. § 1030, and states that the other claims are state law claims.

The opinion does not identify what tool or program Citrin used. It states only that "Citrin loaded into the laptop a secure-erasure program, designed, by writing over the deleted files, to prevent their recovery." The opinion adds the the appellate record does not indicate how Citrin loaded the program onto his laptop.

The opinion relates that Citrin and IAC are involved in litigation arising out of Citrin's decision "to quit IAC and go into business for himself, in breach of his employment contract." Also, the opinion states that Citrin overwrote "data that would have revealed to IAC improper conduct in which he had engaged before he decided to quit." (This is an appeal of dismissal of IAC complaint, so the Court of Appeals views the facts in the light most favorable to IAC.)

There may also be substantial and serious claims alleging breach of contract, unfair competition, or misappropriation of trade secrets. However, the present opinion only identifies the § 1030 claim.

The Statute. 18 U.S.C. § 1030 is the main federal computer hacking criminal statute. It contains numerous criminal bans related to unauthorized accessing of computers to steal information or cause damage.

In addition, some of the bans can also give rise to civil liability. Subsection 1030(g) provides, in part, that "Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages."

Subsection 1030(a)(5) in turn provides as follows:

"(a) Whoever ...
  (5)
    (A)
      (i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
      (ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
      (iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and
    (B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)--
      (i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
      (ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
      (iii) physical injury to any person;
      (iv) a threat to public health or safety; or
      (v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;"

That is, to violate subsection 1030(a)(5), one must cause one of the five types of loss enumerated in (a)(5)(B), as a result of committing one of the three acts enumerated in (a)(5)(A).

Judge Posner's Opinion. The Appeals Court opinion is not clear as to which acts or types of loss were pled in the complaint. The opinion states that IAC "relies" on (5)(A)(i). However, it goes on to analyze (5)(A)(ii).

The opinion concludes that the facts, viewed in the light most favorable to IAC, support allegations of violation of both (5)(A)(i) and (5)(A)(ii).

The opinion states that the District Court dismissed for failure to state a claim upon which relief can be granted. The last sentence of the opinion states that "The judgment is reversed with directions to reinstate the suit, including the supplemental claims that the judge dismissed because he was dismissing IAC's federal claim." This hints that the complaint also included state law claims, and that the § 1030 claim may have been included for the purpose of obtaining federal jurisdiction.

The opinion states that this appeal "requires us to interpret the word ``transmission´´ in a key provision of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030." The opinion also involves interpretation of the word "authorization" in the same § 1030.

The opinion concludes that for the purposes of construing the word "transmission" in (5)(A)(i), it makes no difference whether the defendant inserted a floppy disk or CD into a drive of the laptop to run the trace remover tool, or has accessed the laptop remotely over the internet for the same purpose. The opinion states that "we don't see what difference the precise mode of transmission can make", and that "it can't make any difference that the destructive program comes on a physical medium, such as a floppy disk or CD." Both are a "transmission". The Court reasoned that (5)(A)(i) and (5)(A)(ii) together show that the Congress was concerned both about remote hackers, and inside jobs by disgruntle employees.

That is, the opinion holds that persons using their own laptop transmit to that laptop simply by using that laptop.

However, the (5)(A)(i) analysis does not end there. It also requires that the defendant "causes damage without authorization". IAC provided Citrin with the laptop for his use. He had authorization in the plain sense of the word. The statute makes a clear distinction between "without authorization" and "exceeds authorized access". Hence, the Court of Appeals could not find a violation of (5)(A)(i) based upon exceeding authorization.

The Court found that Citrin did indeed not have "authorization" within the meaning of the statute. It reasoned that Citrin entered into this state non-authorization by operation of the law of agency. It wrote that "his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee." It added that "Citrin’s breach of his duty of loyalty terminated his agency relationship ... and with it his authority to access the laptop ..."

Contract and agency are matters of state law. This case arose in the state of Illinois. Yet the only cases cited by the Court were from other states, and other federal circuits.

The opinion also addresses the employment contract. It cites no clauses barring the use of trace remover tools. Nor does it address termination of authorization to access laptops. The Court did write that the contract authorized Citrin "to ``return or destroy´´ data in the laptop when he ceased being employed by IAC". He did literally "destroy" data when he left the company, as authorized by the contract. Nevertheless, the Court of Appeals reasoned that the contract does not means what it says. It inferred further meaning into the contract, and thus held that this clause did not authorize Citrin's actions.

The case now goes back to the District Court for further proceedings. The 1030 count survives the motion to dismiss.

Criminal Proceedings. This is a civil case. However, the statute construed by this opinion is primarily a criminal statute. This opinion may be cited as precedent in criminal actions.

Mens rea components are fundamental to due process in criminal proceedings. Yet, the Court of Appeals opinion has the effect of substantially eviscerating any meaningful mens rea element from 1030(a)(5)(A)(i) in cases involving employee use of trace removal tools.

(5)(A)(i) contains the mental state elements of "knowingly causes the transmission" and "intentionally causes damage". In common hacking scenarios where the hacker remotely transmits hacking tools or malicious programs to a protected computer, the mens rea elements have real meaning. Bad actors know they are transmitting malicious code, and intend malicious damage.

However, the present case involves use of a computer assigned to an employee, and use of a program which, by itself, is neither illegal, malicious, nor against company policy. It goes without saying that an employee assigned a laptop intentionally accesses that laptop, and that an employee who uses a trace remover tool intentionally removes traces. But these acts are not malum in se. There may be no inherent evil state of mind. Many employees may have no understanding that their intentionally accessing their laptops and knowingly removing traces might constitute a criminal violations. The act only becomes criminal by the operation of the law of agency. And even on this, the Court of Appeals had to resort to out of state precedent on a state law question. In effect, this opinion provides that the mental state elements of (5)(A)(i) impute knowledge of obscure principles of agency law to rank and file employees who use company laptops.

This case is International Airport Centers, LLC, et al. v. Jacob Citrin, U.S. Court of Appeals for the 7th Circuit, App. Ct. No. 05-1522, an appeal from the U.S. District Court for the Northern District of Illinois, Eastern Division, D.C. No. 03 C 8104, Judge Wayne Andersen presiding. Judge Richard Posner wrote the opinion of the Court of Appeals, in which Judges Williams and Sykes joined.