Catching Up on Ninth Circuit CFAA Jurisprudence (Internet Law Casebook Excerpt)
[Eric’s note: this is another excerpt from my Internet Law casebook. Venkat and I couldn’t blog last year’s chaotic and messy Ninth Circuit’s CFAA jurisprudence in real time. I nevertheless took one for the team and tried to make sense of the mess in the casebook. Here’s what I came up with:]
CFAA in the Employment Context. It’s fairly common for departing employees to take company files with them electronically. They may email the files to their personal email accounts, or they may download the files to a flash drive. Often, such activities constitute trade secret misappropriation, but let’s put the trade secret issue aside for a moment. Let’s also assume that the employee hasn’t hacked the system to obtain files that the employee wasn’t meant to access. Does the emailing/downloading of company files for non-company purposes constitute a misuse of the company’s equipment such that it becomes a CFAA violation?
This issue has vexed the courts. Several appellate courts, including United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) (“Nosal I”) and WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012), held that an employee who initially had authorization to access the company’s computers did not “exceed authorized access” by downloading files for improper purposes. Courts do not uniformly follow this view, however.
The Nosal case shows the courts’ struggles with applying the CFAA in employment contexts. The Ninth Circuit explained:
Nosal worked at the executive search firm Korn/Ferry International when he decided to launch a competitor along with a group of co-workers. Before leaving Korn/Ferry, Nosal’s colleagues began downloading confidential information from a Korn/Ferry database to use at their new enterprise. Although they were authorized to access the database as current Korn/Ferry employees, their downloads on behalf of Nosal violated Korn/Ferry’s confidentiality and computer use policies….When Nosal left Korn/Ferry, the company revoked his computer access credentials, even though he remained for a time as a contractor. The company took the same precaution upon the departure of his accomplices, Becky Christian and Mark Jacobson. Nonetheless, they continued to access the database using the credentials of Nosal’s former executive assistant, Jacqueline Froehlich-L’Heureaux (“FH”), who remained at Korn/Ferry at Nosal’s request.
In 2012, the court held that that § 1030(a)(4)’s “exceeds authorized access” language “does not extend to violations of [a company’s] use restrictions.” United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).
Nosal’s win was short-lived. Prosecutors pursued Nosal on other aspects of the CFAA, and the case went back to the Ninth Circuit. United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016) (“Nosal II,” as amended in December 2016). In Nosal II, the court said “we are asked to decide whether the ‘without authorization’ prohibition of the CFAA extends to a former employee whose computer access credentials have been rescinded but who, disregarding the revocation, accesses the computer by other means.” The court held that, by instructing Jacqueline to act as his proxy, Nosal disregarded the former employer’s revocation of his access rights—even though Jacqueline (as a current employee) still had authorized access to the system.
Perhaps Nosal II is sufficiently fact-specific that it doesn’t undermine the broader principles articulated in Nosal I. Arguably, the case turned on Jacqueline’s provision of her passwords to departed employees whose system access had been expressly revoked. Still, the courts’ statutory construction remains highly confused and confusing.
In addition to the CFAA conviction, Nosal was convicted of criminal trade secret misappropriation. If trade secret law already protected Nosal’s former employer, why is the overlay of CFAA criminal law even needed in his circumstance?
Cease-and-Desist Letters Revoking Authorization. Power Ventures operated a service designed to aggregate a user’s social networking content from multiple social networking sites, including Facebook. At users’ request and using their login credentials, Power Ventures used automated scripts to log into a user’s Facebook account and download/upload content for the user. Facebook allowed third party services to perform such functions using a service called “Facebook Connect,” but Power Ventures did not use Facebook Connect. As a result, Facebook sent cease-and-desist letters and blocked Power Ventures’ IP addresses. Neither effort worked. The the parties ended up in court, leading to a Ninth Circuit opinion. Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016).
The Ninth Circuit recaps the general principles:
The court says that Power Ventures might have had implied authorization to access Facebook’s service, especially given the users’ requests for it to do so. However, “Facebook expressly rescinded that permission when Facebook issued its written cease and desist letter to Power on December 1, 2008….The consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission.” The Ninth Circuit also confirmed that Power Ventures violated the applicable state computer crime law, California Penal Code § 502.
While cease-and-desist letters usually are pretty clear about what the sender wants the recipient to do (or not do), cease-and-desist letters often demand remedies that would not be obtainable if litigated in court. In other words, they are often the sender’s wish list, maybe only loosely tethered to what the law actually provides. If so, does it make sense for the Ninth Circuit to treat cease-and-desist letters as dispositive on the CFAA “authorization” question? Recall that CFAA violations can be criminal, so the Ninth Circuit seems to be saying that a company’s private cease-and-desist letter can convert legal behavior into illegal behavior.
Interestingly, the court says (in a footnote) that cease-and-desist letters are more consequential than a service’s technological self-help via IP address blocks:
Simply bypassing an IP address, without more, would not constitute unauthorized use. Because a blocked user does not receive notice that he has been blocked, he may never realize that the block was imposed and that authorization was revoked. Or, even if he does discover the block, he could conclude that it was triggered by misconduct by someone else who shares the same IP address, such as the user’s roommate or co-worker.
What do you think of this differential treatment of IP address blocks and cease-and-desist letters?
On remand, the district court awarded about $80,000 of damages ($5k of remediation efforts post-C&D letter plus $75k of legal costs negotiating with Power Ventures) and issued a permanent injunction. Facebook, Inc. v. Power Ventures, Inc., 2017 WL 1650608 (N.D. Cal. May 2, 2017).
[Note: the hiQ v. LinkedIn ruling, which came after publication, would be relevant to this discussion, though I remain skeptical it will survive intact if appealed.]