We don’t usually talk about four-year-old court decisions in the first instance here. But the Ninth Circuit has issued a pair of noteworthy opinions interpreting the Computer Fraud and Abuse Act in the last few weeks. And to understand those it will help to understand United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), an en banc opinion authored by Judge Kozinski.
Facts
The facts are mercifully short. David Nosal used to work for Korn/Ferry, an executive search firm. Shortly after he left the company, he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company’s computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information.
Charges
The government indicted Nosal on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the Computer Fraud and Abuse Act. The CFAA counts charged Nosal with violations of 18 U.S.C. § 1030(a)(4), for aiding and abetting the Korn/Ferry employees in “exceed[ing their] authorized access” with intent to defraud. At the time, the CFAA defined “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).
Legal Discussion
Did Nosal violate the statute? Kozinski wrote that the operative language could be read in two ways: First, as Nosal suggested, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files – what the kids call “hacking” these days. Second, as the government proposed, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.
The government focused on two key words from the statute. It first examined the word “entitled” in the phrase an “accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6) (emphasis added). Pointing to one dictionary definition of “entitle” as “to furnish with a right,” the government argued that Korn/Ferry’s computer use policy gave employees certain rights, and when the employees violated that policy, they “exceed[ed] authorized access.” But the court said “entitled” in the statute referred to how an accesser “obtain[s] or alter[s]” the information, whereas the computer use policy uses “entitled” to limit how the information is used after it is obtained. Then the government looked at the word “so” in the same phrase. See 18 U.S.C. § 1030(e)(6) (“accesser is not entitled so to obtain or alter” (emphasis added)). The government read “so” to mean “in that manner,” which it claimed must refer to use restrictions. In the government’s view, reading the definition narrowly would render “so” superfluous.
The court didn’t agree, and said the government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. But the court also said a narrow interpretation of “so” did not render it superfluous. One of Judge Kozinski’s hypotheticals went like this: Suppose an employer keeps certain information in a separate database that can be viewed on a computer screen, but not copied or downloaded. If an employee circumvents the security measures, copies the information to a thumb drive and walks out of the building with it in his pocket, he would then have obtained access to information in the computer that he is not “entitled so to obtain.”
The government agreed that the CFAA was concerned with hacking, but only the “without authorization” part. In the government’s version, the “exceeds authorized access” prohibition applied to people who are authorized to use the computer, but do so for an unauthorized purpose. But the court said it was possible to read both prohibitions as applying to hackers: “[W]ithout authorization” would apply to outside hackers (individuals who have no authorized access to the computer at all) and “exceeds authorized access” would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).
When employees routinely g-chat with friends, check Facebook, shop for clothes, and watch sports highlights, computer-use policies that prohibit those activities could transform them into federal felonies with a broad interpretation of the CFAA. While it’s unlikely that you'll be prosecuted for watching Reason.TV on your work computer (one of Judge Kozinski’s favorite pastimes, I guess), you could be, the court said. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement. Also, employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. In the end, the court was too creeped out by the prospect of federal crimes being defined by employer computer use policies. We’ll get into these issues more for the rest of the week.
Add a comment
Archives
- January 2022
- June 2021
- March 2020
- August 2019
- March 2019
- October 2018
- July 2016
- June 2016
- May 2016
- February 2016
- November 2015
- September 2015
- July 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- July 2014
- March 2014
- July 2013
- June 2013
- April 2013
- March 2013
- October 2012
- September 2012
- August 2012
- April 2012
- March 2012
- February 2012
- January 2012
- November 2011
- September 2011
- June 2011
- May 2011
- April 2011
- February 2011
- January 2011
- December 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2006
- February 2006
Recent Posts
- Rethinking Your Cyber Insurance Needs as Your Workplace Evolves
- Data Breach Defense for Educational Institutions
- COVID-19 and the Increased Cybersecurity Risk in a Work-From-Home World
- Like Incorporating Facebook into your Website? EU Decision Raises New Issues
- Lessons Learned: Key Takeaways for Every Business from the Capital One Data Breach
- Will Quick Talks to WRAL About Privacy Issues Related to Doorbell Cameras
- About Us
- Not in My House - California to Regulate IoT Device Security
- Ninth Circuit Says You’re Going to Jail for Visiting That Website without Permission
- Ninth Circuit Interprets “Without Authorization” under the Computer Fraud and Abuse Act
Topics
- Data Security
- Data Breach
- Privacy
- Defamation
- Public Records
- Cyberattack
- FCC Matters
- Reporters Privilege
- Political Advertising
- Newsroom Subpoenas
- Shield Laws
- Internet
- Miscellaneous
- Digital Media and Data Privacy Law
- Indecency
- First Amendment
- Anti-SLAPP Statutes
- Fair Report Privilege
- Prior Restraints
- Wiretapping
- Access to Courtrooms
- Education
- FOIA
- HIPAA
- Drone Law
- Access to Court Dockets
- Access to Search Warrants
- Intrusion
- First Amendment Retaliation
- Mobile Privacy
- Newsroom Search Warrants
- About This Blog
- Disclaimer
- Services