Nosal Convicted of Computer Fraud and Abuse Act Crime Despite His Ninth Circuit Win – US v. Nosal
[Post by Venkat Balasubramani, with a comment from Eric]
US v. Nosal, CR 08-0237 EMC (N.D. Cal. Mar. 12, 2013) (.pdf, denying motion to dismiss)
US v. Nosal, a case that spawned two Ninth Circuit opinions and that’s sure to involve more, just concluded at the trial court level with Nosal being convicted on charges of violating the Computer Fraud and Abuse Act. (See coverage from David Kravets here (“Hacking Trial Devoid of Hacking Awaits Jury Verdict”) and Vanessa Blum here (“Nosal Found Guilty in Trade Secret Case”.)
Judge Patel originally dismissed several of the counts that alleged the misuse of information that were accessed by individuals who were authorized to access the information. Although the 9th Circuit initially disagreed, an en banc panel agreed with this approach, ruling that criminality should not turn on the person’s intent in accessing information or employer policies. The key question is whether the defendant is authorized to access the information in question at all. Since the dismissed counts alleged people accessed information they were otherwise authorized to access but misused this information, these counts were out.
But this left some remaining counts, which involved access via password sharing. Nosal argued that the 9th Circuit’s en banc opinion in Nosal precluded these claims as well because they did not involve any “hacking” in the traditional sense, but the district court (now Judge Chen) disagreed. In a March 12th order, he said that the 9th Circuit’s discussion of the CFAA as anti-hacking was only relevant to discuss the general purposes behind the CFAA and not something by which the court intended to limit the statute. In any event, he noted that a password is a basic technological barrier to access and using someone else’s password is as much a violation of the CFAA as is breaking the password. Nosal also argued by analogy to off-line trespass, saying that accessing an office with someone else’s key is not trespass, but the court doesn’t buy this argument.
The court also addressed the parties’ argument over whether “access” for purposes of the CFAA is the act of initially logging on, or encompasses ongoing use. Defendant argued that access just involves logging on, and if someone logged on with their own password, then the access is not unauthorized. The court rejects this interpretation, saying that the scenario as alleged by the government is that someone logged on using their credentials, then handed over the computer to the person who was unauthorized who then conducted searches on the database. The court says this is functionally no different from just handing the password over and letting the other person access the database. (The court notes that it need not address the issue of whether looking over someone’s shoulder and “accessing” information falls under the statute.)
[As a sidenote, a federal district court in New York recently joined the 9th Circuit in rejecting the broader interpretation of the CFAA. Interestingly, this case also involved a recruiting business.]
It’s interesting that with all the hand-wringing generated by the 9th Circuit’s opinion, Nosal was convicted anyway! Eric has made this point previously, but it seems like there are always avenues open to employers to go after people who start competing businesses. Here, there was even a more narrower CFAA claim that was available after several of the claims were nuked by the 9th Circuit. Even with these claims gone, there are still plenty of claims, at least on the civil side.
Judge Chen’s order, which is sure to be revisited in post-trial motions and in an appeal, grapples with the interesting issue of whether access by proxy violates the statute. Nosal’s argument–that the initial access which is effected by a person is authorized and this is all that matters–is an interesting one, but one that is unlikely to get much traction in the 9th Circuit. Still, it has some appeal, since the line between logging on and letting someone access and logging on accessing the information and providing it to someone is legally thin. (It’s also worth noting that this case should serve as a warning to those who share passwords.)
Eric’s Comment. This case baffles me. Did Nosal do something wrong? Yes, undoubtedly. Did he do something criminal? I’m not sure. Did he violate the Computer Fraud & Abuse Act? No, and it’s not even close. At most, Nosal encouraged or induced a CFAA violation, but as I understand the facts, he didn’t commit the CFAA violation directly. As Venkat notes–and as I outlined in my Forbes article on the CFAA–a variety of legal doctrines would have made Nosal pay for his choices. Contorting the CFAA to apply to him was unnecessary, and it’s disquieting for the rest of us.
9th Cir: Access of Computer in Violation of Employer’s Use Policy Violates Computer Fraud and Abuse Act — US v. Nosal (original panel opinion, vacated on rehearing)