The federal Computer Fraud and Abuse Act of 1986 (“CFAA”) has generated controversy and disagreement among courts and commentators regarding the scope of its application. The statute, 18 U.S.C. § 1030, which provides for both criminal and civil penalties, prohibits accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.” Courts are divided as to the meaning of these phrases, yet the U.S. Supreme Court recently declined the opportunity to resolve the circuit split that has developed, leaving the exact scope of this important statute in question.
Let’s back up. While some forms of “unauthorized access” are immediately obvious, the full scope of the statute’s reach remains the subject of a lively debate. Obviously, nobody would doubt that hacking a password-protected computer is illegal. But a more difficult question is whether using a company’s computer in a manner that violates company policy constitutes “unauthorized access” or “exceeding authorized access”? Or, how about password sharing? These are vital questions that, unfortunately, the Supreme Court punted on answering last week.
Consistent with the rule of lenity, some have argued that the CFAA should be construed narrowly, and a few courts have agreed. The best (and most interesting) example of this approach is the decision of the U.S. Court of Appeals for the Second Circuit in United States v. Gilberto Valle, the notorious “cannibal cop” case. Before his arrest, Valle was a New York City Police Department officer who, on the internet, discussed violent fantasies about real people, including his wife. In reality, however, he never actually reached the point of committing any of the grotesque acts he described. For most people, the “fundamental question” presented by the case (to quote The New York Times) was: “When does a virtual crime, contemplated in Internet chat rooms, become an actual crime?” (Indeed, a documentary about the case is entitled “Thought Crimes: The Case of the Cannibal Cop.”)
Less well known but important for our purposes is that the Second Circuit in late 2015 issued a ruling in the Valle case interpreting the CFAA narrowly, which is now authoritative for those states in the Second Circuit’s jurisdiction (New York, Connecticut, and Vermont). Through his job as a NYPD police officer, Valle had access to various restricted government databases, which he used to research sensitive information about his victims (or, fantasy victims?). Official NYPD policy provided that the databases could be used only for legitimate law-enforcement purposes, and there was no question that Valle’s use wasn’t that. So, did Valle’s violation of NYPD policy mean that he “exceeded authorized access” under CFAA? The Second Circuit concluded that it did not. The thrust of the decision was that CFAA is principally an anti-hacking law, and violation of an employer policy is irrelevant.
In early 2016, the Court of Appeals for the Ninth Circuit took a more expansive approach to the CFAA in United States v. David Nosal. The case had a long and complicated history, but we need only touch upon a few key points here. Before his arrest, Nosal worked at an executive search firm. After he was passed up for a promotion, he decided to start his own competitor firm and left the company. After his employment ended, the firm terminated Nosal’s access to their computer system. Undeterred, he borrowed the credentials of his former assistant, who was still at the firm, to access the computer system and obtain proprietary information. Therein lies the dilemma: The assistant was authorized to access the computer system since she was a current employee, but Nosal’s access had been terminated. So, when the assistant allowed Nosal to use her valid password and account access, was Nosal guilty of “unauthorized access”? Yes, concluded two of the three judges on the Ninth Circuit panel that decided the case. The thrust of the decision was that the CFAA prohibits access to a computer system using somebody else’s account, at least in circumstances where one’s own access was previously terminated. The majority distinguished Valle as a case about “exceeding authorized access” rather than “unauthorized access.” The dissenting judge, by contrast, echoed Valle, accusing the majority of “losing sight of the anti-hacking purpose of the CFAA” and “jeopardizing most password sharing.”
A forceful argument for construing CFAA narrowly is that, as a criminal statute, the rule of lenity calls for ambiguities in the law to be resolved in favor of the defendant. However, while this post has focused on criminal cases, CFAA has a civil component as well. The statute provides a cause of action companies may assert (and have) in a variety of circumstances, such as against former employees who have misappropriated proprietary information (as illustrated by Nosal). Depending on how broadly CFAA is construed in the criminal context, so follows the civil component. That is because, although the rule of lenity traditionally does not apply to civil rather than criminal laws, to the extent CFAA’s civil counterpart to the criminal provisions has the same statutory language, it is to be interpreted the same way.
The Valle and Nosal decisions demonstrate that courts plainly vary in their attitudes about the reach of the CFAA. It is in these circumstances precisely where the Supreme Court should step in and clarify a nationwide standard. And that is why the Supreme Court’s decision last Tuesday to deny certiorari in the Nosal case was so disappointing. (The Court also denied certiorari in a second CFAA case, Facebook v. Power Ventures, which we have previously discussed.) And so, this post ends where it started: What does it mean to access a computer “without authorization” or “exceed authorized access”? Is CFAA principally an anti-hacking law with only limited application, as the Second Circuit suggested in Valle? Or does the statute reach further, as the Ninth Circuit concluded in Nosal? For now, the answer depends on which part of the country you live in. Stay tuned.