The Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), has become increasingly popular both for civil actions and criminal prosecutions involving hacking or similar misuse of computers. The key language in the Act imposes liability on
Whoever . . . accesses a protected computer without authorization, or exceeds authorized access . . .
The Act does not define “authorization” and for years courts have adopted dramatically different interpretations of this seemingly simple word. The difference between “without authorization” and “exceeds authorized access” has been properly characterized as “razor thin,” but in neither case does the Act spell out whose authorization is required, let alone when or how it is to be given – explicit, implicit or otherwise. This lacuna has resulted in virtually identical conduct being treated as a violation in some jurisdictions and not in others. With two new decisions from the Ninth Circuit, those sharp splits have become even more difficult to reconcile.
Most frequently the CFAA is implicated in cases involving former employees who either directly obtained confidential company information before changing jobs, or who persuaded someone still at the company to obtain it for them. Whether the CFAA applies to such fact patterns depends on whether the defendant had authority to do what they did. The problem: courts disagree about how to make that assessment.
For instance, the Seventh Circuit’s seminal ruling, Int’l Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006) involved accusations that an employee, while still employed, accessed his employer’s protected computer in order to obtain confidential information that he planned to use against the employer after leaving his job. At the time the employee did so, his employer had authorized him to access its system as part of his employment. Even so, the Court found that the employee’s disloyal acts were “unauthorized.” The Court reasoned that once the employee breached his duties to the employer, the employee was no longer authorized, just as an in a principal-agent paradigm: “breach of his duty of loyalty terminated his agency relationship…and with it his authority to access the laptop….” Id. at 420-21. The fact that the employer had not actually revoked the employee’s authority was immaterial.
Commentators noted that the Seventh Circuit’s ruling made the determination whether someone violated the CFAA purely subjective, since it depended on what the defendant intended at the time he acted rather than some objectively ascertainable fact. For a law that has criminal as well as civil implications, this is worrisome: As Justice Scalia has emphasized, “[w]hen interpreting a criminal statute, we do not play the part of a mindreader.” United States v. Santos, 553 U.S. 507, 515 (2008).
The Court explained why it was rejecting the Seventh Circuit’s reading of the Act:
The effect this broad construction of the CFAA has on workplace conduct pales by comparison with its effect on everyone else who uses a computer, smart-phone, iPad, Kindle, Nook, X-box, Blu–Ray player or any other Internet-enabled device. The Internet is a means for communicating via computers: Whenever we access a web page, commence a download, post a message on somebody’s Facebook wall, shop on Amazon, bid on eBay, publish a blog, rate a movie on IMDb, read www.NYT.com, watch YouTube and do the thousands of other things we routinely do online, we are using one computer to send commands to other computers at remote locations. Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands.
In response to the government’s assurances that it would not prosecute minor violations, the court noted that individuals routinely lie or exaggerate while using services or websites that utilize the Internet in violation of those websites’ user agreements, and noted that, in reality, “[t]he difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.”
And, the Court noted that
[T]he government’s proposed interpretation of the CFAA allows private parties to manipulate their computer‐use and personnel policies so as to turn these relationships into ones policed by the criminal law. Significant notice problems arise if we allow criminal liability to turn on the vagaries of private policies that are lengthy, opaque, subject to change and seldom read. Consider the typical corporate policy that computers can be used only for business purposes. What exactly is a ‘nonbusiness purpose’? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to trigger criminal liability?
The Fourth Circuit took the same, ‘narrow’ approach in interpreting the CFAA in WEC Carolina Energy Solutions v. Miller, 687 F3d 199 (4th Cir. 2012):
The deficiency of a rule that revokes authorization when an employee uses his access for a purpose contrary to the employer’s interests is apparent: Such a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems . . . . [W]e do not think Congress intended . . .the imposition of criminal penalties for such a frolic.
Id. at 206.
Yet in a pair of new rulings last week, the Ninth Circuit muddied the waters regarding the effective reach of the CFAA. The first was a new opinion in subsequent proceedings from the initial, precedent-setting en banc Nosal decision – U.S. v. Nosal, No. 14-10037 (9th Cir. July 5, 2016) (“Nosal II”).
Nosal II differed from Nosal I in only one respect: the access at issue in Nosal I was by employees who remained behind at the company and “unquestionably had authorization from the company to access the system,” but who then shared the data they obtained with the departed employees. By contrast, Nosal II addressed conduct by the same remaining-behind employees in allowing the same departed employees to use their still-valid login credentials to access the system and obtain the data. Thus, the Court said, Nosal I simply held that without unauthorized access, there could be no CFAA claim. However, in Nosal II the court explained that the defendant was not authorized to access the system and that his use of others’ credentials did not change that fact. Effectively the Court holds that defendant’s intentional evasion of the employer’s revocation of his authority justifies application of the “exceeds authorized access” provision of the CFAA to his conduct.
This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.
Today, addressing only slightly different conduct, the majority repudiates important parts of Nosal I, jeopardizing most password sharing. It loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.
A comparable shock wave resulted when the same court issued its ruling in Facebook v. Power Ventures (July 12, 2016 — F.3d —- 2016 WL 3741956) just a week later. You already know what Facebook is. Power Ventures created a website that allowed people to aggregate their social networking information into one place. A user would sign up, provide logon credentials for whichever social networking sites they chose, and the website would display the requested information. Additional tools were available to allow a user to post or transmit messages to the users friends on those sites.
Facebook was not pleased. It sent a cease and desist letter and blocked Power Venture’s IP address in an effort to prevent its access. Power Ventures switched IP addresses and circumvented the Facebook block, and continued making use of data that it obtained from Facebook in accord with its users direction. But it went out of business in 2011, and Facebook was granted summary judgment on its claims.
There was no dispute that Facebook did not authorize Power Ventures to access its system, but the key issue on appeal was whether the permission that users gave Power Venture to utilize their logon credentials was sufficient. The Ninth Circuit said “no,” and synthesized two “general rules” for application of the CFAA:
It is difficult to reconcile the Facebook court’s first “rule” with the Ninth Circuit’s en banc opinion in Nosal I and its virtually indistinguishable facts. Will the Facebook ruling get en banc review? Those who desire clarity in the law certainly hope so.
A related and potentially quite troublesome aspect of the Facebook ruling is its disregard for users authority over their own data. The Court castigated Power Ventures for admitting it “took, copied or made use of data from the Facebook website without Facebook’s permission” (emphasis in original) without stopping to recognize that the data itself was that which the users could obtain directly, and which those users had expressly authorized Power Ventures to obtain on its behalf. The Court analogized to accessing a safe deposit box which required consent from both the owner of the box and the bank in which the box was kept. Yet such real-world metaphors are inherently unsuited to the virtual environment – it is not apparent why the owner of the contents of a safe deposit box would not have the undisputed right to allow someone else to obtain the contents of the box if obtaining those contents did not entail physical entry into the bank. And the potential implications of allowing a particular website to overrule users’ decisions about sharing their own data are alarming.