In a decision that should give many employees a sigh of relief, the Ninth Circuit has held that browsing the Internet in contravention of an employer’s use restrictions does not give rise to criminal penalties under the Computer Fraud and Abuse Act (CFAA) 18 U.S.C. § 1030. 

In United States v. Nosal, No. 10-10038, 2012 U.S. App. LEXIS 7151 (April 10, 2012), Nosal — a former employee for the Korn/Ferry executive search firm — was prosecuted for violating the CFAA by convincing fellow employees to use their log-in credentials to download customer information from a confidential database on the company’s computer system and transferring the information to him for his new competing business.  The government prosecuted Nosal under a provision in the CFAA that makes it a federal crime “knowingly and with intent to defraud” to “access[] a protected computer without authorization, or exceed[] authorized access, and by means of such conduct further[] the intended fraud and obtain[] anything of value.”  18 U.S.C. § 1030(a)(4) (emphasis added). 

Nosal moved for dismissal of these charges on the ground that the phrase “exceeds authorized access” means exceeding authorization to access particular data and files, i.e., “hacking” unauthorized files.  The government argued that the language included the situation where an individual has “unrestricted physical access to a computer, but is limited in the use to which he can put the information.”  Nosal at *5.  The Ninth Circuit reversed an April 2011 panel decision in an en banc majority opinion by Chief Judge Kozinksi.  See SWIPLit Ninth Circuit to Revisit Expansive Interpretation of Computer Fraud and Abuse Act (November 2, 2011).  The court held that Nosal had the better argument, in large part because the CFAA was intended to combat hacking rather than to “criminalize any unauthorized use of information obtained from a computer.”  Nosal at *11. 

The Ninth Circuit emphasized that a holding that unauthorized use of information would violate the CFAA would mean that “millions of unsuspecting individuals would find that they are engaging in criminal conduct” by violating their employers’ restrictions on Internet use by “g-chatting with friends, playing games, shopping or watching sports highlights.”  Nosal at *15.  The court also observed that violating the terms of use of an Internet website, e.g., posting an item for sale that is prohibited by Craigslist or misrepresenting one’s personal appearance on a dating website, would violate the CFAA and “earn you a handsome orange jumpsuit.”  Nosal at *21. 

The dissent accused the majority of “knocking down straw men” through “far-fetched hypotheticals.”  The dissent stated that the “case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values.  It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.”  Nosal at *27-28.  

The dissent further observed  that it was highly unlikely that employees visiting ESPN.com in contravention of office policies would violate 18 U.S.C. 1030(a)(4) because that section of the CFAA required both criminal intent and specific intent to defraud.  The dissent also accused the majority of engaging in a sleight of hand by concentrating on other provisions of the CFAA not at issue in the case, including 18 U.S.C. 1030(a)(2)(C), which could be read to penalize “unauthorized access” of a computer by individuals lacking any intent to defraud.  “Other sections of the CFAA may or may not be unconstitutionally vague or pose other problems.  We need to wait for an actual case or controversy to frame these issues, rather than posit a laundry list of wacky hypotheticals.”  Nosal at *35