Ignoring Warnings Against Network Access Leads to CFAA Violations

The Ninth Circuit has issued decisions regarding the Computer Fraud and Abuse Act (CFAA) twice so far this month. Crimes involving the use of computers date back to at least the early 1980s, but the existing mail and wire fraud crime statutes were not adequate to address criminal activity arising out of computer use.  Congress enacted the CFAA as part of the Comprehensive Crime Control Act of 1984 to address this gap in crime coverage.  The CFAA protects against the unauthorized access and use of computers and computer networks and creates both criminal and civil liability.  Network users: Heed the warning to “get off of my cloud.”

In determining the meaning of “accesses a protected computer without authorization” (18 U.S.C. §1030(a)(4)) in the criminal context, the Ninth Circuit said:

We conclude that ‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.

(Opinion pdf pages 4 -5).

David Nosal worked at Korn/Ferry, an executive search firm.  Nosal left Korn/Ferry to open his own firm, in competition with Korn/Ferry.  Nosal persuaded current Korn/Ferry employees to use their log-in credentials to download, and provide to him, information kept in a confidential database on a Korn/Ferry computer.  Although the employees were authorized to access the database, Korn/Ferry computer use policies forbid disclosing confidential information.  In a 2012 opinion, the Ninth Circuit distinguished between access restrictions and use restrictions, ruling that “exceeds authorized access” under §1030(a)(4) did not extend to use restriction violations.  I posted on that decision in Computer Fraud and Abuse Act’s Purpose is to Punish Hacking, Not Corporate Misappropriation, Rules Ninth Circuit.

Section 1030(a)(4) includes two prongs: “knowingly and with intent to defraud, [first prong] accesses a protected computer without authorization, or [second prong] exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”  The 2012 Nosal decision involved the second prong, exceeds authorized access.  The current decision involves the first prong, without authorization.

Relevant to the current Nosal case, Korn/Ferry revoked Nosal’s computer access credentials when he left the company.  Nosal continued to access the Korn/Ferry database using the credentials of Nosal’s former assistant, who continued to work at Korn/Ferry at Nosal’s request. 

The Ninth Circuit ruled that Nosal’s conduct was covered by the plain language of the CFAA.

Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access. This access falls squarely within the CFAA’s prohibition on access ‘without authorization,’ and thus we affirm Nosal’s conviction for violations of § 1030(a)(4) of the CFAA.

(Opinion pdf page 7).

The Ninth Circuit reiterated that the CFAA is not intended to cover the unauthorized use of information, but it is intended to cover unauthorized access – “getting into the computer after categorically being barred from entry.”  (Opinion pdf page 17).  The dissent viewed the case as a password sharing case and argued that Nosal did not violate the CFAA.

On the civil side, the Ninth Circuit addressed the CFAA in Facebook’s suit against Power Ventures.  Power Ventures operated Power.com.  Power.com aggregated all of a user’s social networking information onto one page, allowing a user to use the Power.com website to track all social media without going to the user’s individual social networking sites.  To attract more users, Power ran a promotional campaign that at times generated email messages through the Facebook system.  Facebook limits and controls access to its website, in part, by requiring third party developers to register with Facebook and agree to additional Developer Terms of Use.

Facebook sent a cease and desist letter to Power, tried to get Power to sign Facebook’s Developer Terms of Use and blocked Power’s Internet Protocol (IP) address.  Power refused to sign Facebook’s Developer Terms of Use and continued to access Facebook’s system by circumventing Facebook’s IP block.  Power admitted to taking, copying and using data from Facebook.com without Facebook’s permission.

Facebook sued Power for CFAA and other statutory violations. 

From its previous cases, including the second Nosal case, the Ninth Circuit distilled

two general rules in analyzing authorization under the CFAA. First, a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability. Second, a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.

(Opinion pdf page 16.)

The Ninth Circuit ruled that Facebook users may have initially given Power permission to access Facebook’s computers by signing up for Power’s promotion.  The Court compared it to allowing a friend to use a computer.  Facebook expressly rescinded any permission arguably given by its users by sending Power the cease and desist letter and by demanding that Power stop interacting with Facebook through automated scripts.  Facebook also blocked Power’s IP address.

In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers ‘without authorization’ within the meaning of the CFAA and is liable under that statute.

(Opinion pdf page 19).

The Ninth Circuit affirmed the district court’s CFAA liability holding, but remanded to the district court to reconsider appropriate remedies.

These cases are:

U.S. v. Nosal, Nos. 14-10037, 14-10275, Ninth Circuit Court of Appeals, majority opinion by Judge M. Margaret McKeown, joined by Chief Judge Sidney R. Thomas, Judge Stephen Reinhardt dissenting.

Facebook, Inc. v. Power Ventures, Inc., No. 13-17154, Ninth Circuit Court of Appeals.

Leave a Reply

Your email address will not be published. Required fields are marked *