Ignoring Warnings Against Network Access Leads to CFAA Violations

The Ninth Circuit has issued decisions regarding the Computer Fraud and Abuse Act (CFAA) twice so far this month. Crimes involving the use of computers date back to at least the early 1980s, but the existing mail and wire fraud crime statutes were not adequate to address criminal activity arising out of computer use.  Congress enacted the CFAA as part of the Comprehensive Crime Control Act of 1984 to address this gap in crime coverage.  The CFAA protects against the unauthorized access and use of computers and computer networks and creates both criminal and civil liability.  Network users: Heed the warning to “get off of my cloud.”

In determining the meaning of “accesses a protected computer without authorization” (18 U.S.C. §1030(a)(4)) in the criminal context, the Ninth Circuit said:

We conclude that ‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.

(Opinion pdf pages 4 -5).

Continue reading “Ignoring Warnings Against Network Access Leads to CFAA Violations”

Computer Fraud and Abuse Act’s Purpose is to Punish Hacking, Not Corporate Misappropriation, Rules Ninth Circuit

The latest word from the Ninth Circuit is that the Computer Fraud and Abuse Act (CFAA) does not protect employers against misappropriation by its employees and former employees of trade secrets and other confidential company information. 

In U.S. v. Nosal, David Nosal was a former employee of Korn/Ferry, an executive search firm.  Nosal decided to start his own business to compete with Korn/Ferry.  He persuaded current Korn/Ferry employees to use their log-in credentials to download, and provide to him, information kept in a confidential database on a Korn/Ferry computer.  Although the employees were authorized to access the database, Korn/Ferry policies forbid disclosing confidential information.  The federal government indicted Nosal, charging him with CFAA violations, trade secret theft, mail fraud and conspiracy.  The CFAA charges involve violations of 18 U.S.C. §1030(a)(4), “for aiding and abetting the Korn/Ferry employees in ‘exceeding their authorized access’ with intent to defraud.”  (Opinion pdf page 3).

Continue reading “Computer Fraud and Abuse Act’s Purpose is to Punish Hacking, Not Corporate Misappropriation, Rules Ninth Circuit”

Game Developer Alleges Copyright and Computer Fraud and Abuse Act Violations in Suit Against Unknown Defendants

Plaintiff Square Enix Limited develops, distributes and markets copyrighted computer video games worldwide.  This case concerns “Deus Ex: Human Revolution” (the Game), the eagerly awaited sequel to Square Enix’s “Deus Ex.”  Square Enix is preparing to commercially release the Game around August 2011.  Square Enix is a British corporation located in London, England.

Square Enix alleges the following facts (pdf):  To generate prerelease publicity, Square Enix created an unpublished version of the Game for limited preview to select video game media representatives.  It distributed the Game preview through Steam.  Steam is an Internet game distribution platform operated by Valve Corporation.  Valve is headquartered in Bellevue, Washington, in the Western District of Washington.  “Steam delivers game content using a proprietary file transfer protocol and protects it with digital rights management software.”  (Complaint pdf page 4).  Steam is believed to collect and store information about user accounts, including IP addresses and hardware identification numbers.

Square Enix authorized a reviewer from the Italian video game review magazine “Giochi per il Mio Computer” (GMC) to preview the Game using Steam.  Media representatives who previewed the Game, including GMC and its reviewer, signed nondisclosure agreements agreeing not to reproduce or disclose the Game preview.  Square Enix preregistered its copyright for the Game with the United States Copyright Office.

On May 29, 2011, one or more of Defendants Does 1-15 used the GMC reviewer username and password to log onto the restricted Steam account from an IP address not associated with GMC or its parent company.  One or more of the Defendants accessed and copied the Game preview from the Steam server without authorization and “distributed it to other Defendants and third parties using the peer-to-peer file sharing protocol BitTorrent.”  (Complaint pdf page 4).  Defendants and others then made unauthorized copies of the Game preview.

Square Enix claimed direct, contributory and vicarious infringements of its copyright by the Defendants.  Direct infringement occurs when someone copies a copyrighted work without authorization.  Contributory infringement occurs when someone who knows of the infringing activity assists in someone else’s infringing activity.  Vicarious infringement occurs when someone who has the right and ability to control the infringer’s conduct receives direct financial benefit from the infringement.  “Defendants copied, distributed, displayed, exhibited, performed, and/or created derivative works of the Game Preview, which consisted of a significant and material portion of the Game.”  (Complaint pdf page 5).  Square Enix alleges that Defendants also participated in each other’s infringing conduct and that some of the Defendants who had the ability to control the infringing conduct of others received direct financial benefits from the infringement.

Square Enix also claimed that Defendants violated the Computer Fraud and Abuse Act (CFAA).  The CFAA (18 U.S.C. §1030) protects against a variety of computer abuses arising out of unauthorized access or exceeding authorized access to a computer.  Square Enix alleges that Valve’s server is the computer which Defendants accessed without authorization and/or exceeded authorized access to obtain information they were not entitled to access.  Square Enix stored its proprietary information on Valve’s computer, limited authorized access to the information and was damaged by Defendants’ unauthorized access and/or access exceeding authorization.

This case is Square Enix Limited v. Does 1-15, C11-1045 MJP, Western District of Washington at Seattle.