The Ninth Circuit has issued decisions regarding the Computer Fraud and Abuse Act (CFAA) twice so far this month. Crimes involving the use of computers date back to at least the early 1980s, but the existing mail and wire fraud crime statutes were not adequate to address criminal activity arising out of computer use. Congress enacted the CFAA as part of the Comprehensive Crime Control Act of 1984 to address this gap in crime coverage. The CFAA protects against the unauthorized access and use of computers and computer networks and creates both criminal and civil liability. Network users: Heed the warning to “get off of my cloud.”
In determining the meaning of “accesses a protected computer without authorization” (18 U.S.C. §1030(a)(4)) in the criminal context, the Ninth Circuit said:
We conclude that ‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.
(Opinion pdf pages 4 -5).
David Nosal worked at Korn/Ferry, an executive search firm. Nosal left Korn/Ferry to open his own firm, in competition with Korn/Ferry. Nosal persuaded current Korn/Ferry employees to use their log-in credentials to download, and provide to him, information kept in a confidential database on a Korn/Ferry computer. Although the employees were authorized to access the database, Korn/Ferry computer use policies forbid disclosing confidential information. In a 2012 opinion, the Ninth Circuit distinguished between access restrictions and use restrictions, ruling that “exceeds authorized access” under §1030(a)(4) did not extend to use restriction violations. I posted on that decision in Computer Fraud and Abuse Act’s Purpose is to Punish Hacking, Not Corporate Misappropriation, Rules Ninth Circuit.
Section 1030(a)(4) includes two prongs: “knowingly and with intent to defraud, [first prong] accesses a protected computer without authorization, or [second prong] exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” The 2012 Nosal decision involved the second prong, exceeds authorized access. The current decision involves the first prong, without authorization.
Relevant to the current Nosal case, Korn/Ferry revoked Nosal’s computer access credentials when he left the company. Nosal continued to access the Korn/Ferry database using the credentials of Nosal’s former assistant, who continued to work at Korn/Ferry at Nosal’s request.
The Ninth Circuit ruled that Nosal’s conduct was covered by the plain language of the CFAA.
Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access. This access falls squarely within the CFAA’s prohibition on access ‘without authorization,’ and thus we affirm Nosal’s conviction for violations of § 1030(a)(4) of the CFAA.
(Opinion pdf page 7).
The Ninth Circuit reiterated that the CFAA is not intended to cover the unauthorized use of information, but it is intended to cover unauthorized access – “getting into the computer after categorically being barred from entry.” (Opinion pdf page 17). The dissent viewed the case as a password sharing case and argued that Nosal did not violate the CFAA.
Facebook sued Power for CFAA and other statutory violations.
From its previous cases, including the second Nosal case, the Ninth Circuit distilled
(Opinion pdf page 16.)
The Ninth Circuit ruled that Facebook users may have initially given Power permission to access Facebook’s computers by signing up for Power’s promotion. The Court compared it to allowing a friend to use a computer. Facebook expressly rescinded any permission arguably given by its users by sending Power the cease and desist letter and by demanding that Power stop interacting with Facebook through automated scripts. Facebook also blocked Power’s IP address.
In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers ‘without authorization’ within the meaning of the CFAA and is liable under that statute.
(Opinion pdf page 19).
The Ninth Circuit affirmed the district court’s CFAA liability holding, but remanded to the district court to reconsider appropriate remedies.
These cases are:
U.S. v. Nosal, Nos. 14-10037, 14-10275, Ninth Circuit Court of Appeals, majority opinion by Judge M. Margaret McKeown, joined by Chief Judge Sidney R. Thomas, Judge Stephen Reinhardt dissenting.
Facebook, Inc. v. Power Ventures, Inc., No. 13-17154, Ninth Circuit Court of Appeals.