Comments on the Ninth Circuit’s En Banc Ruling in U.S. v. Nosal
[Post by Venkat Balasubramani, with comments from Eric]
US v. Nosal, 2012 WL 1176119 (9th Cir. Apr. 10, 2012)
Nosal was a Korn/Ferry employee who, after his departure, convinced some remaining employees to provide him with confidential information to help him start a competing business. Employees were authorized to access the company’s network and information on it, but they were prohibited by the employer’s policy from disclosing confidential information. The key question was whether the employees “exceeded their authorized access,” and whether their access and use of the information constituted a criminal violation of the Computer Fraud and Abuse Act.
The 9th Circuit took the case en banc. In a typically clear and emphatic Judge Kozinski opinion, the Ninth Circuit says that exceeding authorized access to an employer’s network does not support a conviction under the CFAA. (Judge Silverman’s dissenting opinion is worth checking out as well.) The key distinction is whether the employees accessed data or information that they were totally prohibited from accessing, or whether they misused information that that were otherwise authorized to access. The first scenario supports a CFAA violation, but the second does not.
The parties wrangle over the statute’s wording and construction, and the court sides in favor of the defendant with respect to these arguments. The court notes that the government’s interpretation of the statute would transform everyday online “dalliances,” which arguably violate employer policies by using networks for non-“business purposes,” into federal crimes:
What exactly is a “nonbusiness purpose”? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii?
What swayed the court is that the government’s construction of the statute would expand the scope of the statute far beyond its intended purpose—hacking—and would “make criminals of large groups of people who would have limited reason to suspect that they are committing a federal crime.” Who might these people be? You and me, and every other person who surfs countless websites arguably in technical violation of the applicable terms of service. We use sites that are subject to terms of service but these terms of service are, as the court notes, “vague and generally unknown.” We routinely violate those terms of service:
Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds form their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.
Moreover, websites reserve the right to change terms of service “at any time and without notice.” This means that any use of a website in violation of the terms–that the user may not even have knowledge of–could constitute a federal crime. The court cites to the terms of service of various websites, including Facebook, craigslist, Twitter, Hulu, YouTube, Match.com, Netflix, Pandora, just to name a few. The government came back and said that it would be unlikely that any user would be prosecuted for these violations, but the court cites to US v. Drew and says that if the government has a reason to go after you, its interpretation of the statute allows it to do so.
The day after the Ninth Circuit’s ruling in Nosal, the Second Circuit released its opinion in U.S. v. Aleynikov, explaining its rationale for setting aside Aleynikov’s conviction under the National Stolen Property Act and the Economic Espionage Act of 1996. Aleynikov was a highly paid programmer who worked for Goldman Sachs. He was lured away by a competing business to develop the competing business’s high frequency trading system. Prior to leaving Goldman, he transferred a chunk of the source code that he had developed while at Goldman. The Second Circuit sets aside his conviction, finding that source code alone is not a “product” for purposes of the EEA or a “good, ware, or merchandise” for purposes of the NSPA. Interestingly, Aleynikov was charged with a CFAA violation but the district court dismissed it, relying in part on Brekka. With respect to the CFAA claim, the district court said that because Aleynikov was authorized to access the source code at the time he accessed it, his subsequent misuse is not enough to support a CFAA charge. As it turns out, the government’s attempted workarounds to the CFAA, the NSPA and EEA charges, were no more availing.
The Ninth Circuit’s Nosal ruling is a big loss for employers, who in recent years have been pushing Computer Fraud and Abuse Act claims in the employment context. The court cites to Lee v. PMSI in a footnote, but there have been countless others. (Prior blog post on this topic: “No Computer Fraud and Abuse Act Violation for Access of Facebook and Personal Email by Employee — Lee v. PMSI.”) It’s also a big loss for networks who will have a tougher time policing access based on terms of service violations. Facebook most recently went after Power Networks, and although it proceeded under California’s anti-hacking statute, this decision may affect similar lawsuits in the future. (The two statutes are not identical and it’s unclear as to whether a network could prohibit scraping or other unauthorized access.)
There’s a key question left somewhat open by the court’s opinion. If a network imposes use restrictions and says that users who access the network for improper purposes are not authorized to use the network at all (e.g., “if you provide false information when you register for an account, you are not authorized to access our service” or “you may not access our service via bots or other automated means”), does Nosal leave open the possibility of a CFAA violation in this context? Nosal (and LVRC v Brekka, an earlier Ninth Circuit case) do not appear to preclude this approach.
The Ninth Circuit’s approach here diverges from the approaches of other circuit courts. I don’t have a sense of whether this is a good candidate for Supreme Court review, but that’s a possibility. For what it’s worth, there’s a draft bill currently pending to “fix” the CFAA. Check out this post from Jennifer Granick as to why the fixes won’t be much of a fix: “Draft Bill to “Fix” CFAA Won’t.”
What steps can employers take post-Nosal? I’d consider the following: (1) make employee policies as explicit as possible, and don’t rely on vague notions of fiduciary duties; (2) impose access restrictions that govern the means of access; and (3) password-protect stuff that is truly a trade secret and make it available only on a need-to-know basis. Even these steps don’t guarantee a solid foundation for a CFAA claim. At the end of the day, it may be worth looking to other means of protecting your confidential information and restricting competition by employees.
* EFF (press release): Appeals Court Rules That Violating Corporate Policy Is Not a Computer Crime
* David Kravets: Court Rebukes DOJ, Says Hacking Required to Be Prosecuted as Hacker
Judge Kozinski’s opinion was highly entertaining (as usual) and full of pragmatic realpolitik, but I disagree with Venkat that the opinion was clear. In fact, I remain quite confused by the opinion and what it means for the CFAA. Among the questions I can’t confidently answer after the opinion:
* does the en banc’s definitional interpretation apply to both civil and criminal CFAA claims, or just criminal prosecutions? There are some reasons to believe the court’s opinion would support reading the language the same in civil and criminal contexts. The court says: “Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute.” Plus, a number cases endorsed by the majority are civil. However, the majority never clarifies this point, and there is some reason to believe the results aren’t 100% extensible to civil cases. For example, the majority opinion repeatedly hammers on CFAA criminality interpretation problems and gives examples of ridiculous CFAA crimes (and doesn’t give any countervailing examples of a CFAA civil case). The majority also concludes that criminal prosecutions turn on lenity, a consideration that wouldn’t apply in the civil context. Finally, the Lori Drew court treated civil and criminal CFAA suits differently, so arguably that distinction could still crop up in other cases.
* as noted by Venkat, if a company policy says “we condition your access to our network on you not doing XYZ with any data you subsequently acquire,” has the company drafted its way around the holding? This workaround should be too facile, but the majority opinion possibly sets up this bypass.
Obviously, future litigation will give us the answers to these questions. But it would have been better if the majority opinion had been clear enough to prevent the sorting-out process that will take place over the next couple of years.
Even with all of its ambiguities, I think the majority reaches a favorable policy outcome, and I for one would love to see the CFAA scale back its scope substantially. That isn’t going to happen. The CFAA is one of the statutes Congress keeps “improving” as part of its wars on terror and cybersecurity, so I wonder if this opinion’s result will survive Congress’ next ham-fisted amendment of the CFAA.