The federal law at issue here isn't contingent on the owner delivering a Cease & Desist letter or even taking any affirmative steps whatsoever. No court is going to read that into the law. At best a C&D is evidence of the rescission of authorization, but all the statute cares about is whether authorization existed or not.
Importantly, Oracle didn't actually lock their account. And even more importantly, AFAIU this guy was an employee.
For these and some other technical reasons (I haven't read the case but likely part of it may be related to the jury instructions), the question to be answered by the court really comes down to whether violation of Terms of Service alone suffices to meet the "without authorization" prong of the criminal statute.
If the answer is no then the case goes back to trial. The defendant doesn't get a free pass, it's just that the prosecution will have a slightly higher burden to overcome in showing lack of authorization. Higher in the sense that the burden involves taking into consideration other factors than merely boilerplate policies and notices.
Another way to look at it is, say your boss tells you that you must leave the office at 5PM sharp, and that nobody is allowed to log into corporate accounts after 5PM. This policy is also displayed from /etc/motd everytime you login. You occasionally stay at work late some evenings, accessing the corporate accounts in a typical fashion. One day you're accused of doing something nefarious--maybe you were, maybe you weren't. Is your working after 5PM a prima facie showing that your access was unauthorized? That is, do all they have to show is that corporate policy was not to login at 5PM? Is it rebuttal? Does it matter whether your boss communicated this to you personally?
The way these legal tests work, at least in common law countries, is that you break the law down into predicates. For the law to apply, you must show that each predicate holds. Each predicate is it's own little universe. You don't take other predicates into account; there's often a separate predicate for intent and other overarching context. The predicate here is "without authorization". What does that mean? It's a tricker question than you'd think. And it can't merely mean whatever your boss intended--it has to be an objective standard that doesn't lead to absurd outcomes in the real world. Especially in criminal law, a crime can't turn on someone's subjective intent, except for the intent of the accused. Similarly, specifically in regards "without authorization" not even the accused's intent matters.
>all the statute cares about is whether authorization existed or not.
No, that's not all the CFAA cares about.
>(a)(2)(C) Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer;
Thus my confusion. Why present the case as "without authorization" (based on the TOS) in the first place, when "exceed[ing] authorized access" (based on the C&D) seems like a much lower bar to clear and is less likely to provoke nonprofits complaining about precedent?
Importantly, Oracle didn't actually lock their account. And even more importantly, AFAIU this guy was an employee.
For these and some other technical reasons (I haven't read the case but likely part of it may be related to the jury instructions), the question to be answered by the court really comes down to whether violation of Terms of Service alone suffices to meet the "without authorization" prong of the criminal statute.
If the answer is no then the case goes back to trial. The defendant doesn't get a free pass, it's just that the prosecution will have a slightly higher burden to overcome in showing lack of authorization. Higher in the sense that the burden involves taking into consideration other factors than merely boilerplate policies and notices.
Another way to look at it is, say your boss tells you that you must leave the office at 5PM sharp, and that nobody is allowed to log into corporate accounts after 5PM. This policy is also displayed from /etc/motd everytime you login. You occasionally stay at work late some evenings, accessing the corporate accounts in a typical fashion. One day you're accused of doing something nefarious--maybe you were, maybe you weren't. Is your working after 5PM a prima facie showing that your access was unauthorized? That is, do all they have to show is that corporate policy was not to login at 5PM? Is it rebuttal? Does it matter whether your boss communicated this to you personally?
The way these legal tests work, at least in common law countries, is that you break the law down into predicates. For the law to apply, you must show that each predicate holds. Each predicate is it's own little universe. You don't take other predicates into account; there's often a separate predicate for intent and other overarching context. The predicate here is "without authorization". What does that mean? It's a tricker question than you'd think. And it can't merely mean whatever your boss intended--it has to be an objective standard that doesn't lead to absurd outcomes in the real world. Especially in criminal law, a crime can't turn on someone's subjective intent, except for the intent of the accused. Similarly, specifically in regards "without authorization" not even the accused's intent matters.