Could the Computer Fraud and Abuse Act be used to “turn ordinary
citizens into criminals”? Or is this fear based on “far-fetched” and “wacky
hypotheticals”?
Yes and yes, say the majority and dissent in United
States v. Nosal, a recent 9-2 decision of the U.S. Court of Appeals for
the 9th Circuit, sitting en banc. Chief Judge Alex Kozinski, writing for the
majority, acknowledged that its reading of the CFAA splits from other federal
appellate court decisions. A petition for certiorari could be filed this
summer.
Employees of an executive search firm allegedly accessed the
firm’s computer database to obtain information, which they gave to David Nosal,
a former employee. Nosal intended to use the information to compete with the firm.
After this came to light, Nosal was indicted on twenty counts,
including trade secret theft, mail fraud, conspiracy, and CFAA violations.
At issue on appeal is the phrase “exceeds authorized access”
to a computer under the CFAA.
To Chief Judge Kozinski, access and misuse of information
are two separate questions. The employees who allegedly fed Nosal information were
authorized to access the firm database. They had permission. The problem was
subsequent misuse of firm information. The solution is to prosecute the misuse
or look to Congress to amend the CFAA, not to imagine words that are not there.
Otherwise, Kozinski said, scores of unsuspecting people who
are authorized to use their work computers for business only, under computer-use
policies, but check sports news, send personal emails, or engage in other
non-work uses, even occasionally, could be guilty of a federal crime—exceeding
authorized access.
Kozinski was also concerned that violating particular sites’
terms of use could be criminalized. For instance, eHarmony’s terms of use
prohibit giving “inaccurate, misleading or false information.” Saying that you
are “‘tall, dark, and handsome,’ when you’re actually short and homely, will
earn you a handsome orange jumpsuit,” Kozinski surmised.
Kozinski noted that the majority’s reading of the CFAA veers
from 5th,
7th, and 11th
Circuit decisions and invited those circuits to reconsider.
Judge Barry Silverman, in dissent, was unimpressed.
This case is not about “playing sudoku, checking email,
fibbing on dating sites, or any of the other activities” the majority discussed,
Judge Silverman wrote. It is about “stealing an employer’s valuable information
to set up a competing business with the purloined data.” The majority’s “far-fetched”
and “wacky hypotheticals” miss the point.
Nosal’s co-conspirators were authorized to be in the firm
system for firm business, not to steal its information. Silverman gave this
example: “A bank teller is entitled to access a bank’s money for legitimate
banking purposes, but not to take the bank’s money for himself.”
Other circuits got it right, Silverman explained. Those
courts found that authorized access had been exceeded under the CFAA when a
Citigroup employee used information from a company database to commit fraud, a
Social Security Administration employee tracked old flames and potential new
ones via the SSA system, and an employee of a government contractor used her
work access to view then-candidate Barack Obama’s student loan records.
The Obama student loan case, from the 8th
Circuit, was not discussed in the majority opinion.
At the request of the United States, the losing party in Nosal, the 9th Circuit stayed its mandate
pending filing of a petition for certiorari. The en banc decision was issued in
April, so a petition could be filed with the Supreme Court as late as July.
