Last month, the Ninth Circuit affirmed the criminal conviction of an individual for accessing a computer “without authorization” in violation of the Computer Fraud and Abuse Act (“CFAA”). U.S. v. Nosal (9th Cir., July 5, 2016).
The CFAA imposes criminal penalties on whoever “accesses a protected computer without authorization, or exceeds authorized access . . .” 18 U.S.C. § 1030.
“Without authorization”, the court ruled, means “accessing a protected computer without permission.”
In Nosal, a former employee of an executive search firm conspired with former colleagues to obtain confidential source lists and client contact data to start a competing search firm. Among other counts, Nosal was charged with violating the CFAA. The question before the three-judge panel was whether Nosal conspired to access a protected computer “without authorization” when he and his accomplices used the login credentials of Nosal’s former assistant to access the search firm’s proprietary information. Affirming Nosal’s conviction, the court held that Nosal did act “without authorization” when he continued to access data after his former employer rescinded permission to access its computer system.
Justice Reinhardt issued a vehement dissent in the case. He argued that the case was about simple password sharing, and the majority opinion “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” He emphasized that the CFAA is a criminal statute and must be construed more narrowly than a civil statute. A better interpretation of “without authorization”, he urged, is accessing a computer without the permission of either the system owner or a legitimate account holder. Though the facts of this case were distasteful, he noted that the court’s ruling had broader legal implications and thus he could not endorse the majority’s opinion.
Interestingly, this is the second time the Ninth Circuit has interpreted provisions of the CFAA in this case, and the first case touched on the very issues the dissent addressed. In the prior opinion, an en banc panel of the Ninth Circuit ruled on the meaning of “exceeds authorized access.” The court held that “exceeds authorized access” serves to restrict access to information but did not restrict how that information was used. Accordingly, the court determined that Nosal did not violate the CFAA when he had his former colleagues access information from the firm’s confidential databases and send it to him. Those colleagues were authorized to access the data. The CFAA, the court ruled, was not intended to impose criminal liability for violations of private computer use policies. The en banc panel construed the statute narrowly, “so that Congress will not unintentionally turn ordinary citizens into criminals.”
The majority’s recent opinion will likely not be the last word on this issue. Nosal will be filing a Petition for Rehearing and Rehearing en Banc. If this eventually gets to the panel it will be left to be seen whether Judge Reinhardt’s position seeking narrow construction of the term “without authorization” will be followed.