RECOMMENDED FOR PUBLICATION Pursuant to Sixth Circuit I.O.P. 32.1(b) File Name: 24a0147p.06
UNITED STATES COURT OF APPEALS FOR THE SIXTH CIRCUIT
┐ CONLAN ABU; RYAN MOORE, │ Plaintiffs-Appellants, │ > No. 23-1573 │ v. │ │ STANLEY B. DICKSON; DICKSON & ASSOCIATES, PC, │ Defendants-Appellees. ┘
Appeal from the United States District Court for the Eastern District of Michigan at Detroit. No. 2:20-cv-10747—Linda V. Parker, District Judge.
Argued: May 2, 2024
Decided and Filed: July 8, 2024
Before: SUTTON, Chief Judge; WHITE and THAPAR, Circuit Judges. _________________
COUNSEL
ARGUED: R. Christopher Cataldo, TAFT STETTINIUS & HOLLISTER, LLP, Southfield, Michigan, for Appellants. Phillip J. DeRosier, DICKINSON WRIGHT PLLC, Detroit, Michigan, for Appellees. ON BRIEF: R. Christopher Cataldo, James W. Rose, TAFT STETTINIUS & HOLLISTER, LLP, Southfield, Michigan, for Appellants. Daniel D. Quick, DICKINSON WRIGHT PLLC, Troy, Michigan, for Appellees.
SUTTON, C.J., delivered the opinion of the court in which THAPAR, J., joined in full. WHITE, J. (pp. 15–16), delivered a separate opinion concurring in part and in the judgment. _________________
OPINION _________________
SUTTON, Chief Judge. When Stanley Dickson sold the assets of one of his businesses, he asked his IT administrator to create email accounts for the buyers to use and permitted the No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 2
employees of the two companies to use the accounts. Several months after the deal closed, the relationship between the parties soured and the parties tried to unwind the deal. In the interim, the IT administrator preserved some of the emails from those accounts for the ensuing litigation. At stake is whether the IT administrator’s search of the buyers’ email accounts violated the Computer Fraud and Abuse Act or Stored Communications Act. It did not. When the IT administrator entered his own credentials to search the email accounts that he managed, he did not intentionally act without authorization and he did not intentionally exceed his authorization.
I.
Dickson owned three businesses: the Epicurean Group, a restaurant and catering business; Dickson & Associates, P.C., an accounting firm; and Propel Technologies, an IT company. The Epicurean Group employees each had email accounts that ended in @theepicureangroup.com. Dickson & Associates purchased the domain for theepicureangroup.com and paid renewal fees to keep the domain. Propel also purchased Microsoft Office 365 licenses for the Epicurean Group’s employees to use. John Massey, an IT administrator who took care of other online accounts for the Dickson affiliates, became the account administrator for the @theepicureangroup.com email accounts.
In January 2019, Dickson agreed to sell the Epicurean Group’s assets to a California corporation, Conlan Abu, owned by Ryan Moore. After closing the deal, Massey remained the account administrator for the relevant email services of the Conlan company and the Epicurean Group. The Conlan employees received @theepicureangroup.com email accounts through the same Microsoft 365 platform. During this time, Moore emailed Massey to create new accounts for new hires, to cancel accounts for discharged employees, and to reset passwords.
By July of that year, the relationship between the two entities broke down, prompting an effort to unwind the deal and leading eventually to litigation. The Conlan Abu company and Moore (collectively, Conlan or the Conlan company) filed a state court lawsuit against some of the Dickson affiliates, alleging that they failed to assign key restaurant contracts and leases to the Conlan company. Conlan tried to return the assets obtained from the sale, and the Dickson affiliates countersued. On August 1, Massey sent an email to all of the Conlan users with No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 3
@theepicureangroup.com email addresses, alerting them that he would deactivate their email accounts in a month.
In the meantime, Dickson asked Massey to retrieve and preserve emails between Moore’s Epicurean Group email address, rmoore@theepicureangroup.com, and various other individuals for the state court litigation. Massey found the emails via the Microsoft 365 search feature, using his credentials as the Microsoft 365 tenant account administrator. The Dickson affiliates turned over the emails to Conlan during state court discovery. Relations between the one-time deal partners went from bad to worse.
Conlan filed this lawsuit in federal court, alleging that Dickson and one of his companies, Dickson & Associates, violated the Computer Fraud and Abuse Act and the Stored Communications Act by accessing Moore’s emails. Each side moved for summary judgment. The district court ruled as a matter of law for the Dickson affiliates.
II.
The Computer Fraud and Abuse Act protects our Nation’s computers from hacking. Enacted in 1984 and significantly amended in 1986, the Act’s computer trespass provision covers anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information.” 18 U.S.C. § 1030(a)(2)(C).
The Act prohibits two types of digital trespassing: access without authorization and access that exceeds authorization. Id. Access “without authorization” refers to “outside hackers—those who access a computer without any permission at all.” Van Buren v. United States, 593 U.S. 374, 389 (2021) (quotation omitted). Access that exceeds authorization targets “inside hackers—those who access a computer with permission, but then exceed the parameters of authorized access by entering an area” of a computer that remains off-limits. Id. at 389–90 (quotation omitted). Imagine, to picture the distinction, that you open your office door and, to your surprise, find someone already inside. If the person is a stranger with no right to be in the building, they lack authorization. If the person is a coworker from down the hall, they may have exceeded their authorized access. No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 4
On top of that, the Act covers only “intentional[]” violations—intentional efforts to act without authorization or to exceed authorization. 18 U.S.C. § 1030(a)(2). Violators of the Act face the possibility of criminal liability and, as shown here, civil lawsuits from private parties. See id. § 1030(c), (g).
One last preliminary point. The Conlan company filed this claim against Dickson and his accounting firm. In the court below and in this court, the parties have focused on the intent of Massey, the employee who “accessed” the email accounts. See Van Buren, 593 U.S. at 388 (explaining that “[i]n the computing context, ‘access’” takes on the “technical meaning” of “entering a computer system itself or a particular part of a computer system, such as files, folders, or databases”) (quotations omitted). That’s fair game because the Dickson affiliates could be vicariously liable for any completed offenses of their agent. See Meyer v. Holley, 537 U.S. 280, 285 (2003). Hence we, like the district court, focus on Massey’s actions and Massey’s intent in accessing the emails.
A.
Did Massey “intentionally” access Moore’s emails “without authorization” under the Act? 18 U.S.C. § 1030(a)(2). No. Massey was the consummate computer insider: the IT administrator. He managed the Epicurean Group’s email accounts, which gave him undisputed authorization to add and remove user accounts and change passwords. Logging in via his own credentials gave him access to users’ emails. The Act’s prohibition on intentionally obtaining access “without authorization” thus does not apply to Massey’s conduct. See Van Buren, 593 U.S. at 382, 389; see also LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009).
B.
Did Massey intentionally exceed his authorization under the Act? 18 U.S.C. § 1030(a)(2). Having “authorization” means having “sanction or permission.” Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756, 759 (6th Cir. 2020). Exceeding authorization means entering an area of the protected system that is beyond the parameters of authorization. Van Buren, 593 U.S. at 389–90. No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 5
Determining the parameters of authorization, we must acknowledge, is not always easy to pin down. Imagine, to picture the problem, that you come into your office in the morning and are greeted by the janitor, the cleaning crew, or the office manager. Unlike an outsider, each of them has authorization to be there to fix things in the office or to remove the trash. But what if you found them looking through the drawers in your desk? Absent a prior request to fix the drawer or to clean the inside of the desk, that would likely exceed their authorization.
In thinking about authorized computer access by IT coordinators, the lines are less three- dimensional and, in some cases, less clear. Van Buren tells us what not to do. It explains that users do not exceed authorized access merely by having “improper motives for obtaining information that is otherwise available to them.” Id. at 378.
The facts of Van Buren illustrate the point. A police officer “ran a license-plate search in a law enforcement computer database in exchange for money,” flouting the department’s policy that the database could be used only for law enforcement purposes. Id. Van Buren reasoned that the officer’s improper purpose did not change the reality that he was authorized to access the system. Id. Exceeding authorization, Van Buren explained, is a “gates-up-or-down inquiry.” Id. at 390. So long as a user is permitted to be on a particular “area[] within the system” for some purposes, the gates are up, and the user’s access to the system is “authorized.” Id.
How, then, do courts discern “authorization”? Who establishes the gates? When are they up? When are they down?
The Act offers a start. It identifies one clear source of authorization: “code-based” permission. Id. at 390 n.8. When the computer code allows a user to take a certain action, it’s usually fair to say that the system authorizes the access. The Computer Fraud and Abuse Act’s password-trafficking provision, 18 U.S.C. § 1030(a)(6), “contemplates a ‘specific type of authorization—that is, authentication,’ which turns on whether a user’s credentials allow him to proceed past a computer’s access gate, rather than on other, scope-based restrictions.” Van Buren, 593 U.S. at 390 n.9 (quoting Patricia L. Bellia, A Code-Based Approach to Unauthorized Access Under the Computer Fraud and Abuse Act, 84 Geo. Wash. L. Rev. 1442, 1470 (2016)); see also hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1198 (9th Cir. 2022); cf. 18 U.S.C. No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 6
§ 2701(a) (seeming to contemplate that “authorization” could be code-based in a similar provision of the Stored Communications Act).
The “ordinary usage” of “authorization,” we have said, also covers a company’s “sanction or permission” for the use of its computers. Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am., 648 F.3d 295, 303–04 (6th Cir. 2011); Royal Truck, 974 F.3d at 759. That brings into the equation agency principles and employer policies. Did the company, for example, give the employee access to the system and empower him to do what he did? See United States v. Shahulhameed, 629 F. App’x 685, 688 (6th Cir. 2015) (concluding that firing an employee cut off his “authorization” to access company accounts, even though the employee could still log in); see also LVRC Holdings, 581 F.3d at 1136. Permission or not, then, informs the authorization inquiry. The “sanction or permission” also might be affected by contracts between the two parties, as when two distinct companies have access to a computer system.
Helpful scholarship in the area identifies a similar set of ways to think about authorization. The key articles look at everything from the computer code to agency law to company policies to contemporary norms about trespass and privacy. See, e.g., Orin S. Kerr, Computer Crime Law 38–40, 49, 67–68 (5th ed. 2022) (discussing breaches of “code-based restrictions,” “contract-based restrictions,” and “social norms on computer access”); Bellia, supra, at 1444–60; Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1146 (2016) (arguing that “concepts of authorization rest on trespass norms,” meaning “broadly shared attitudes about what conduct amounts to an uninvited entry”).
We need not settle on every appropriate measure for ascertaining whether someone exceeds authorization today. See Van Buren, 593 U.S. at 390 n.8 (“For present purposes, we need not address whether [authorization] turns only on technological (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies.”). No matter how we measure authorization, Massey did not exceed it due to another textual imperative of liability: intent. The Act, recall, prohibits only “intentionally” exceeding authorized access. 18 U.S.C. § 1030(a)(2). No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 7
An employee, like Massey, does not intentionally exceed authorized access when he deliberately accesses a protected system but lacks notice that his access is unauthorized. The Act’s computer trespassing provision penalizes only one who “intentionally . . . exceeds authorized access.” Id. The adverb “intentionally” modifies the verb “exceeds.” “To exceed” means “to go beyond a limit[,] . . . [or] do more than is justifi[able] [] or allowable.” Exceed, Merriam Webster’s Unabridged Dictionary, https://unabridged.merriam- webster.com/unabridged/exceed (last visited June 28, 2024); see also 18 U.S.C. § 1030(e)(6) (defining “exceeds authorized access” to mean going beyond the scope of an entitlement).
This feature of “exceeds”—that it refers to an entitlement, justification, or allowance— goes a long way to resolving this case. Id. An insider does not intentionally do more than is justified if he has no reason to know that his conduct is off-limits. Intentionally exceeding authorization requires, at a minimum, that the insider purposefully access an area of a computer and know that it is forbidden. See Kerr, Norms of Computer Trespass, supra, at 1181; cf. EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003) (explaining that “website provider[s] can easily spell out explicitly what is forbidden”).
This description of the mental state requirement honors the language that Congress chose. Congress opted to pair “intentionally” with “exceeds” rather than “accesses.” Had Congress meant to impose liability on every computer insider who intentionally clicks links and unintentionally finds himself in a place where he should not be, Congress could have phrased the statutes differently. It could have barred, say, “intentionally accessing a protected system when such access exceeds authorization.” But the language it did use—a bar on intentionally exceeding, not intentionally accessing—focuses the interpreter on whether the individual intended to exceed the bounds of authorization.
This interpretation of the “intentionally exceeds” clause also comports with the way we interpret criminal statutes. Yes, this case, we appreciate, involves only civil penalties. But statutes are “not chameleons,” meaning one thing in one setting, another in another. Esquivel- Quintana v. Lynch, 810 F.3d 1019, 1028 (6th Cir. 2016) (Sutton, J., concurring in part) (quotation omitted), rev’d on other grounds sub nom. Esquivel-Quintana v. Sessions, 581 U.S. No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 8
385 (2017). Because the same provision has civil and criminal penalties, we must give it the same reading in both settings. See Leocal v. Ashcroft, 543 U.S. 1, 11 n.8 (2004).
We read criminal statutes to “reflect[] the basic principle that ‘wrongdoing must be conscious to be criminal.’” Elonis v. United States, 575 U.S. 723, 734 (2015) (quoting Morisette v. United States, 342 U.S. 246, 252 (1952)). A defendant may not need to “know that his conduct is illegal before he may be found guilty.” Id. But he “generally must know the facts that make his conduct fit the definition of the offense.” Id. (quotation omitted). Examples abound. A defendant convicted of distributing lewd depictions of minors must know that the persons depicted are minors. United States v. X-Citement Video, Inc., 513 U.S. 64, 78 (1994). A defendant convicted of unauthorized use of food stamps must know the facts that make the use of the food stamps unauthorized. Liparota v. United States, 471 U.S. 419, 433–34 (1985); see generally Elonis, 575 U.S. at 734–37 (collecting more examples). In this setting, it would be unusual for Congress to punish innocent behavior—using a system as an insider with permission—if the insider had no reason to know that they exceeded the metes and bounds of authorization. Cf. Long v. Insight Commc’ns of Cent. Ohio, LLC, 804 F.3d 791, 797 (6th Cir. 2015) (holding that for a provider to knowingly or intentionally violate the Stored Communications Act’s disclosure provision, it must know “that it was divulging information” as well as “the facts that made the disclosure unauthorized”).
Gauged by these requirements, the Dickson affiliates are entitled to summary judgment, as the district court correctly held. The Conlan company has not pointed to any evidence in the record that, if proven, would show that Massey was on notice that accessing Moore’s emails would violate any limitations on authorization—whether code-based restrictions, agency principles, computer norms, company policies, or contracts.
Begin with the possibility that the computer code limited his access. The record demonstrates that Massey did not intentionally bypass any code-based barriers. Massey attested in his affidavit and deposition testimony that he accessed the emails by entering his regular administrator credentials, namely his pre-established computer permissions. The Dickson affiliates also provided an expert report, unrebutted on this score, explaining how an No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 9
administrator with Massey’s privileges would be able to search the emails in a Microsoft 365 account, all without running into any authentication barriers.
From an agency perspective, Massey’s sworn affidavit conveys his belief that the Dickson affiliates had authority over the email accounts and that he was acting in accordance with Dickson’s express direction. “As the license holder and administrator of the @epicureangroup.com[] Office 365 accounts,” Massey attested, “I believed Mr. Dickson and I were authorized to view these communications.” R.9-4 at 3. Massey’s affidavit added that, “to the best of [his] knowledge,” id. at 4, he “help[ed] administrate all Microsoft Office 365 business accounts maintained by Mr. Dickson through his IT company, Propel,” id. at 2; that all accounts using the @theepicureangroup.com domain were “maintained and paid for under Propel Technologies’ Office 365 tenant account,” id.; that Dickson & Associates, not the Conlan company, paid for the @theepicureangroup.com Office 365 license fees, id.; and that he had previously performed various IT services on the @theepicureangroup.com email accounts, “including assisting with termination of employees, new hires, creation of new accounts, and resetting passwords,” id. The record reflects that Massey, at Dickson’s direction, gave the Conlan company notice on August 1 that the Epicurean Group email accounts would be shut down on September 1. If Moore or the Conlan company had said at the time that they owned the email accounts, Massey may have at least had some notice to think that the Dickson affiliates were not in charge of the accounts. But neither Moore nor any other employee of the Conlan company raised any such objection.
The Conlan company likewise does not identify any contract between the parties that limited Massey’s access to the relevant computer systems. This source of potential liability thus does not work either.
The record also offers no handhold for the idea that Massey had knowledge of any company policy or computer norms that would limit his permission to access the contents of email accounts that he administered. His affidavit attested that no one ever asked him to give up administrative privileges or to migrate the email accounts to a new master Microsoft Office account until after September 1. Beyond that, Microsoft’s Privacy Statement alerted users that “[i]f you use a Microsoft product or use an email address to access Microsoft products and that No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 10
product or email address was provided by an organization you are affiliated with, such as an employer[,] . . . that organization can: . . . [a]ccess and process your data, including . . . the contents of your communications and files.” R.55-26 at 15 (emphasis added).
On this record, no evidence shows that Massey intentionally read emails he was not allowed to see. The district court thus correctly ruled for the Dickson affiliates as a matter of law.
The Conlan company pushes back. It argues that Massey intentionally exceeded his authorized access because he had the improper purpose of helping the Dickson affiliates obtain “an advantage in ongoing, adversarial litigation.” Appellant’s Br. 39–40. Put to the side the reality that the conventional discovery rules probably required the preservation of all emails in the system anyway. See Fed. R. Civ. P. 26(a)(1), 37(e); Mich. Ct. R. 2.302(A)(1), (B)(5), 2.313(D). For today’s purposes, all that matters in answering this concern is what Van Buren teaches—that a person’s access to a computer can be authorized even when his purpose is improper. 593 U.S. at 378, 396. The key point is whether the insider is prohibited from accessing that part of the system. If the insider may enter a particular area of the system for some purpose, the insider is “authorized.” Id. at 389–90. A bare allegation that Massey had an “improper purpose” of giving the Dickson affiliates an edge in litigation does not tell us whether he exceeded authorization or had reason to know that he exceeded authorization.
At oral argument, the Conlan company for the first time flagged correspondence that, it claims, should have alerted Massey that he could not access the Epicurean Group’s email accounts. Moore, we are told, sent a mass termination email to all employees and thus, the argument continues, Massey should have known that he was no longer authorized to serve as the IT administrator. Oral Argument at 4:00–4:20, 8:18–8:40.
Two problems cloud this argument. One is that the Conlan company forfeited it by failing to mention it in the summary judgment briefing below or in the briefing here. See Scott v. First S. Nat’l Bank, 936 F.3d 509, 522 (6th Cir. 2019). But even if Moore did send such an email, Conlan admits that Massey did not have an employment agreement with the Conlan company, and, even after the alleged email, Moore and Massey continued to correspond No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 11
regarding the pending shut-down of the email accounts. Even if there were a mass termination email, it thus would not show that Moore ended Massey’s role as the IT administrator, as their continuing correspondence shows.
The Conlan company, more generally, argues that Massey’s access was unauthorized because it owned the email accounts, not Dickson. This line of argument implicates several questions. Were the email accounts included in the assets that the Epicurean Group and Stanley Dickson sold to the Conlan company? If so, did Massey successfully tender them back? And did Dickson refuse to accept them? In view of these factual disputes, the Conlan company alleges, the district court should not have granted summary judgment.
But what matters at summary judgment is not whether any factual dispute exists. It’s whether the fact dispute is material. This one is not. What matters is whether Massey knew that the email accounts belonged to someone else. Massey attested that he believed the email accounts at issue belonged to Dickson, and Conlan has not pointed to any evidence in the record that undermines that understanding. It was not within the IT administrator’s bailiwick, no surprise, to be up-to-date on the terms of the asset purchase agreement or on the complicated process of unwinding that agreement.
The Conlan company maintains that a key premise of the district court’s ruling—whether Massey obtained all of the emails by entering his own administrator credentials—is a disputed factual question that should be presented to a jury. But Massey has attested that he obtained the emails in this manner. It makes no difference whether he understood from a technical perspective how the search worked. The Conlan company has not introduced any affirmative evidence that Massey obtained the emails in any other way. In the face of Massey’s sworn statements that he obtained the emails with his administrator privileges, Conlan’s “naked supposition and bare speculation” that he obtained them in some other manner does not create a dispute of material fact. Hutchison v. Lowes Home Ctrs., LLC, No. 21-4048, 2022 WL 1773720, at *2 (6th Cir. June 1, 2022).
Along the same line, the Conlan company complains that Massey obtained emails sent from Moore’s personal email account. But the record shows that those emails were preserved as No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 12
linked to employees’ Microsoft 365 calendars. This is what Dickson’s expert said, and while Conlan’s expert questioned whether there was enough evidence to support that conclusion, Conlan’s expert provided no competing explanation of how Massey came across those personal emails.
The concurrence agrees with much of this analysis, but worries that by focusing our intent inquiry on Massey rather than Dickson, we have created a loophole for principals to hire unwitting agents to do the accessing. To be sure, we do not mean to suggest that a principal’s intent can never be relevant to determining whether the principal is liable under the Act for an agent’s unauthorized access. Cf. 18 U.S.C. § 2(b) (extending liability to “[w]hoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States”); 18 U.S.C. § 1030(b) (conspiracy and attempt offenses). But for our purposes, the district court trained its analysis on Massey rather than Dickson, and Conlan’s appellate briefing never shifted that focus. At most, Conlan’s brief argues that an improper purpose—which Conlan ascribes indiscriminately to Massey and the defendants—shows that access here was intentionally unauthorized. As we have shown, however, Van Buren forecloses that argument: An improper purpose does not make for unauthorized access, so it also does not suffice to show intentional unauthorized access. See 593 U.S. at 396. And while we could scour the record for other proof as to why Dickson may or may not have intended to gain unauthorized access, “[i]t is not sufficient for a party to mention a possible argument in the most skeletal way, leaving the court to put flesh on its bones.” McPherson v. Kelsey, 125 F.3d 989, 995–96 (6th Cir. 1997) (quotation omitted).
III.
Conlan separately raises a claim under an analogous provision of the Stored Communications Act, 18 U.S.C. § 2701(a). That Act imposes criminal and civil penalties on anyone who “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” Id.; see id. § 2707(a). No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 13
The digital trespassing provisions of the Stored Communications Act and Computer Fraud and Abuse Act have several parallels. Congress passed the Stored Communications Act just five days after it amended the Computer Fraud and Abuse Act to cover “exceed[ing] authorized access.” Compare id. § 2701(a), Pub. L. 99-508, title II, § 201(a), 100 Stat. 1860 (Oct. 21, 1986), with id. § 1030(a)(2), Pub. L. 99-474, § 2(c), 100 Stat. 1213 (Oct. 16, 1986). The Stored Communications Act then picked up on the same elements from the Computer Fraud and Abuse Act. As a result, both Acts now prohibit intentional access without authorization and intentionally exceeding authorization. Id. §§ 2701(a), 1030(a)(2).
Some differences, to be sure, exist. The Computer Fraud and Abuse Act applies broadly to protect “computers,” a term that includes virtually any device that connects to the internet, plus some others. See id. § 1030(e)(1) (defining computer to include any “high speed data processing device performing logical, arithmetic, or storage functions,” except for an “an automated typewriter or typesetter, a portable hand held calculator, or other similar device”); see also id. § 1030(e)(2)(B) (defining the more narrow set of “protected computer[s]” to include any computer “which is used in or affecting interstate or foreign commerce or communication”). The Stored Communications Act, meanwhile, protects a somewhat different set of systems: “facilit[ies] through which an electronic communication service is provided.” Id. § 2701(a)(1). That includes, under several statutory definitions, facilities that allow users to transmit certain “signs, signals, writing, images, sounds, data, or intelligence”—aside from “electronic funds transfer[s],” “wire or oral communication[s],” or “communication[s] made through a tone-only paging” or “tracking device.” Id. §§ 2510(12), (15), 2711(1). For our purposes, however, these nuanced differences in coverage do not matter. No party disputes that the email platforms that Massey accessed were both “computers” within the meaning of the Computer Fraud and Abuse Act, id. § 1030(a)(2), and “facilit[ies]” for providing “electronic communication service[s]” within the meaning of the Stored Communications Act, id. § 2701(a).
What is more, all agree that both Acts contain the same theories of liability—that the “authorization” and “intent” requirements in both Acts apply in the same way here. See hiQ Labs, 31 F.4th at 1200. That means that the Conlan company’s claim under the Stored Communications Act fails for the same reason that its claim under the Computer Fraud and No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 14
Abuse Act fails. Because the Conlan company failed to show that Massey acted without authorization or intentionally exceeded his authorization, it cannot recover under either Act.
We affirm. No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 15
___________________________________________________
CONCURRING IN PART AND IN THE JUDGMENT ___________________________________________________
HELENE N. WHITE, Circuit Judge, concurring in part and concurring in the judgment. I agree with the majority that no jury could reasonably conclude that Massey knowingly exceeded his authorization by accessing Moore’s emails. The majority is also correct that, under Van Buren, a defendant’s allegedly improper motive is not evidence of unauthorized access. See Van Buren v. United States, 593 U.S. 374, 394 (2021). I write separately, however, because I conclude we must consider Dickson’s knowledge, not just Massey’s. I also clarify that evidence of an improper motive may be used for the statutes’ mens rea element.1
Dickson directed Massey to access Moore’s emails, but the majority does not consider Dickson’s intent; this is so although, as the majority readily admits, Dickson is the named defendant, and Massey was his agent. See Maj. op. 4 (“Dickson affiliates could be vicariously liable for any completed offenses of their agent.”); Aetna Cas. & Sur. Co. v. Leahey Const. Co., 219 F.3d 519, 542 (6th Cir. 2000) (describing the conditions under which an agency-principal relationship exists). Although an agent’s mens rea can be imputed to the principal, the majority should not have considered Massey’s knowledge to the exclusion of Dickson’s.2
The majority’s interpretation creates a troubling loophole. Under its analysis, employers and other principals can evade liability for illegal acts by directing their employees or agents to carry them out. As long as the employee or agent lacks knowledge of malfeasance, the
1Although Van Buren tells us that an improper motive cannot be used to show that an individual’s access was unauthorized, it can be considered for the statutes’ mens rea requirement. See Van Buren, 593 U.S. at 378. Accordingly, once a plaintiff shows that a defendant’s access was unauthorized, there is no prohibition on presenting evidence of an improper purpose to argue that the violation was knowing. 2The majority mistakenly argues that its approach is appropriate because the “parties focused on the intent of Massey.” Maj. op. 4. But the parties clearly address Dickson’s intent in their briefing as well. See, e.g., Appellants’ Br. 39–40 (alleging that Dickson had a “highly culpable state of mind” because he accessed the emails to harm Moore in the underlying litigation); Appellees’ Br. 37–38 (arguing that Dickson intended only to preserve evidence for the state-court action). No. 23-1573 Conlan Abu, et al. v. Dickson, et al. Page 16
employer/principal is in the clear. Imagine, for example, that an employer improperly obtains the password to a competitor’s email. The employer knows that she is not authorized to access the account so directs an IT employee to log in to the account instead, providing a plausible explanation. Under the majority’s analysis, the cybercrime statutes would not apply. This interpretation seriously undermines the statutes’ purposes.
Still, summary judgment is appropriate here because the majority’s analysis of Massey’s knowledge also applies to Dickson. See Maj. op. 11–13. The Trowbridge House account was registered in Dickson’s name, and Dickson paid for its maintenance. Moreover, Appellants tendered the Epicurean assets back to Appellees in July. In fact, there is no evidence that Appellants ever restricted Appellees from accessing the Trowbridge House account, nor did they request control of the account. Id. at 11. Appellants argue that they granted Appellees access to the account only on a case-by-case basis, but Van Buren undermines the argument. See Van Buren, 593 U.S. at 378. In Van Buren, the defendant was authorized to use the police database only for law-enforcement purposes. Id. Implicitly, the department’s policy did not authorize the defendant to use the database for any other purpose. Id. Even so, the Court held that this limitation did not render the defendant’s access unauthorized under the CFAA. See id.; Maj. op. 5–6. The allegation against Dickson here is similar to that against Van Buren—that his access was limited to legitimate purposes. Consequently, even if Moore implicitly restricted Dickson’s access, it was not rendered criminal by the statute.3 See also United States v. Bass, 404 U.S. 336, 347 (1971) (“[W]here there is ambiguity in a criminal statute, doubts are resolved in favor of the defendant.). Accordingly, there is no evidence showing that Dickson’s access was of the sort prohibited by the statutes, much less that Dickson knew his access was unauthorized.
For the foregoing reasons, I concur in part and concur in the judgment.
3Although the cybercrime statutes do not cover the conduct here, other causes of action may provide a remedy for similar conduct. For example, in a similar Fourth Circuit case where the CFAA did not apply, the panel surveyed nine other state-law causes of action could potentially provide relief. See WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 207 (4th Cir. 2012) (including “conversion, tortious interference with contractual relations, civil conspiracy, and misappropriation of trade secrets”).