Could the Computer Fraud and Abuse Act be used to “turn ordinary citizens into criminals”? Or is this fear based on “far-fetched” and “wacky hypotheticals”?
Yes and yes, say the majority and dissent in United States v. Nosal, a recent 9-2 decision of the U.S. Court of Appeals for the 9th Circuit, sitting en banc. Chief Judge Alex Kozinski, writing for the majority, acknowledged that its reading of the CFAA splits from other federal appellate court decisions. A petition for certiorari could be filed this summer.
Employees of an executive search firm allegedly accessed the firm’s computer database to obtain information, which they gave to David Nosal, a former employee. Nosal intended to use the information to compete with the firm.
After this came to light, Nosal was indicted on twenty counts, including trade secret theft, mail fraud, conspiracy, and CFAA violations.
At issue on appeal is the phrase “exceeds authorized access” to a computer under the CFAA.
To Chief Judge Kozinski, access and misuse of information are two separate questions. The employees who allegedly fed Nosal information were authorized to access the firm database. They had permission. The problem was subsequent misuse of firm information. The solution is to prosecute the misuse or look to Congress to amend the CFAA, not to imagine words that are not there.
Otherwise, Kozinski said, scores of unsuspecting people who are authorized to use their work computers for business only, under computer-use policies, but check sports news, send personal emails, or engage in other non-work uses, even occasionally, could be guilty of a federal crime—exceeding authorized access.
Kozinski noted that the majority’s reading of the CFAA veers from 5th, 7th, and 11th Circuit decisions and invited those circuits to reconsider.
Judge Barry Silverman, in dissent, was unimpressed.
This case is not about “playing sudoku, checking email, fibbing on dating sites, or any of the other activities” the majority discussed, Judge Silverman wrote. It is about “stealing an employer’s valuable information to set up a competing business with the purloined data.” The majority’s “far-fetched” and “wacky hypotheticals” miss the point.
Nosal’s co-conspirators were authorized to be in the firm system for firm business, not to steal its information. Silverman gave this example: “A bank teller is entitled to access a bank’s money for legitimate banking purposes, but not to take the bank’s money for himself.”
Other circuits got it right, Silverman explained. Those courts found that authorized access had been exceeded under the CFAA when a Citigroup employee used information from a company database to commit fraud, a Social Security Administration employee tracked old flames and potential new ones via the SSA system, and an employee of a government contractor used her work access to view then-candidate Barack Obama’s student loan records.
The Obama student loan case, from the 8th Circuit, was not discussed in the majority opinion.
At the request of the United States, the losing party in Nosal, the 9th Circuit stayed its mandate pending filing of a petition for certiorari. The en banc decision was issued in April, so a petition could be filed with the Supreme Court as late as July.