A recent decision from the Ninth Circuit Court of Appeals has created turmoil for federal prosecutions involving the Computer Fraud and Abuse Act (CFAA). This decision raises more questions than it answers in an already nebulous area of law.
What is the CFAA?
The CFAA, which is set forth in 18 U.S.C. § 1030, imposes criminal liability on individuals who commit offenses involving or affecting computers and computer networks. The United States v. Nosal (Nosal II), 828 F.3d (9th Cir. 2016) involved application of 18 U.S.C. § 1030(a)(4), which prohibits someone from “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value … ” (Emphasis added).
Nosal was employed at an executive search firm when he decided to launch a competitor. Upon terminating his employment, his authorization to access the database was revoked. Two co-workers, who would eventually join Nosal in the new venture, downloaded confidential information to use in the new enterprise before leaving the company. Although authorized to access the database as current employees, their downloads on behalf of Nosal violated the company’s confidentiality and computer use policies.
Aft er Nosal’s co-workers formally left the company, their authorization was likewise revoked. They continued to access the database, however, utilizing the login credentials of a current employee who willingly provided them the information.
Nosal was initially indicted with 20 criminal counts, including eight violations of the CFAA. United States v. Nosal (Nosal I), 676 F.3d 854 (9th Cir. 2012) (en banc). Five of the eight CFAA counts were based on the employees accessing the database during their employment with the company. The district court dismissed these counts, determining the employees had authorization to access the database during their company tenure regardless of any violation of the company’s computer use policies.
On appeal, the Ninth Circuit examined whether Nosal’s former colleagues acted “without authorization, or exceed[ed] authorized access” when they downloaded information and shared it with Nosal. Id. at 864. The court opined that the statute was meant to address hacking offenses as opposed to violations of a company’s policy restrictions; thus, because Nosal’s accomplices had authority to access the company computers during their employment, the Ninth Circuit held that no violation of the CFAA occurred. Id. at 863.
The Ninth Circuit remanded the case to the district court for trial on the remaining counts. The government subsequently filed a superseding indictment charging Nosal with, inter alia, three CFAA offenses. These counts referred to three occasions when the former employees accessed the company’s system aft er their employment terminated, using a current employee’s login credentials. The district court denied Nosal’s motion to dismiss the CFAA counts and a jury convicted him on all counts. The matter was again appealed to the Ninth Circuit.
In Nosal II, the Ninth Circuit was confronted with the question of whether the “without authorization” prohibition of the CFAA extends to a former employee who accesses the computer by utilizing the login credentials of a current employee. The court reasoned that “without authorization” is an unambiguous term that means accessing a protected computer without permission. Nosal II, 828 F.3d at 868. The majority concluded that because the defendants’ “authorization” to access the company’s database had been revoked by the employer upon the termination of employment, there was sufficient evidence to establish a CFAA violation.
The dissent characterized this conduct as incidents of “password sharing.” Because the current employee was authorized to access the database and voluntarily provided the former employees with her login credentials, the dissent maintained that no violation of the CFAA occurred. The dissent harshly criticized the majority’s rationale, noting it repudiated important parts of Nosal I, jeopardizing seemingly innocuous and routine conduct of ordinary citizens.
Implications of Nosal II Decision
The discrepancy regarding the “without authorization” language stems from a disagreement about who can provide – and rescind – authorization. While the majority in Nosal II interpreted the statute to criminalize access by those without “permission conferred by” the system owner, the dissent posited that an equally appropriate – and potentially preferable – interpretation is to criminalize access only by those without “permission conferred by” either a legitimate account holder or the system owner.
Regardless of which interpretation is correct, Nosal II creates a slippery slope that would permit prosecutions under the CFAA for seemingly innocuous and routine behavior. An office worker having a friend login to their email to print a boarding pass would count as a violation of the system owner’s access policy. Logging into a spouse’s bank account to pay a bill would violate the bank’s password sharing prohibition. Logging onto a computer on behalf of a colleague who is out of the office to send him an important document would be in violation of computer access policy. The examples can go on and on. Eric Nemecek