A divided 9th Circuit panel decided U.S. v. Nosal today. The case initially looks like a simple employee trade secret theft case, but the Court’s interpretation of the Computer Fraud and Abuse Act has potentially far reaching ramifications. Here’s the thing – the court (in my view) reached the right ruling with the right statutory interpretation. However, that interpretation could possibly make many people liable under the CFAA that probably shouldn’t be.
Here are the basic facts: Nosal is charged with conspiracy to violate the CFAA, 18 U.S.C. 1030 because he conspired with employees at his former employer. Those employees accessed a database to obtain secret information that Nosal allegedly used in a competing business. Importantly, those employees had full access rights to that database. They didn’t hack, steal a password, rummage around, or anything else. They just logged on and copied information. Those employees had agreements that said they would not use the information for purposes other than their employment. I suspect that the agreement would not have even been necessary if it were reasonably clear that the information was trade secret, but that’s an issue for another post.
The provision at issue is 1030(a)(4), which outlaws: “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value….”
The district court dismissed the indictment, ruling that the employees could not have exceeded authorization. The court relied on a prior case, called LVRC HoldingsLLC v. Brekka, to rule that the employees could not have exceeded authorized access because database access was within their employment. According to the lower court, one can only exceed authorization if one wanders into an area where there is no authorized access. The appellate panel talks about drive letters. If the employees could access the F: drive, but not the G: drive, then any data taken from the F: drive for any purpose could not exceed authorized access, but gathering data from the G: drive would exceed because the employees were not supposed to go there. By analogy here, there could be no exceeded authority because the database was part of the employee access rights.
The Ninth Circuit panel disagreed. It starts with the definition in 1030(e)(6):
the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
The Court focuses on the “so” term. It argues that “so” would be superfluous under the district court’s reading. After all, exceeding authorized access means you must have had the right to be there in the first place. To limit this to different areas of the database doesn’t work, since the statute plainly outlaws access to the computer when such access is then used to obtain information that the accessor is not entitled to obtain.
The problem with this reading, of course, is that the employees arguable were entitled to obtain the information. Not so, says the Court – and this is where the trade secret angle comes in. The employees were decidedly (or at least allegedly) not entitled to access the information if the purpose was to leak it to Nosal.
How does the court deal with LVRC? It appears that the two cases are consistent:
1. LVRC says that “without authorization” requires no access at all to a drive, not exceeded authorization (there are some parts of the statute with require no authorization, and some where exceeded authorization is enough).
2. LVRC makes clear that where employers set access policies and communicate them, then employees may be deemed to have acted without authorization.
3. LVRC envisions exactly the result in this case:
Section 1030(e)(6) provides: “the term `exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). As this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has “exceed[ed] authorized access.” On the other hand, a person who uses a computer “without authorization” has no rights, limited or otherwise, to access the computer in question.
Of course, it is not this easy. LVRC had a footnote:
On appeal, LVRC argues only that Brekka was “without authorization” to access LVRC’s computer and documents. To the extent LVRC implicitly argues that Brekka’s emailing of documents to himself and to his wife violated §§ 1030(a)(2) and (4) because the document transfer “exceed[ed] authorized access,” such an argument also fails. As stated by the district court, it is undisputed that Brekka was entitled to obtain the documents at issue. Moreover, nothing in the CFAA suggests that a defendant’s authorization to obtain information stored in a company computer is “exceeded” if the defendant breaches a state law duty of loyalty to an employer, and we decline to read such a meaning into the statute for the reasons explained above. Accordingly, Brekka did not “obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,” see 18 U.S.C. § 1030(e)(6), and therefore did not “exceed[ ] authorized access” for purposes of §§ 1030(a)(2) and (4).
This footnote seems directly contrary to the outome in Nosal. It is also an example of something I tell my cyberlaw students – make every argument you can! How could LVRC not have made the exceeded authorization argument directly on appeal? Surely that issue merited more than a footnote.
The court doesn’t deal with this footnote, but instead makes some factual distinctions that work for me. First, in LVRC the defendant had unfettered access with no clear rules about the data. Second, in this case there is a clear trade secret misappropriation, whereas in LVRC the allegation was a nebulous “breach of duty” argument without any real showing that the email accessed would be competitively used against LVRC.
Maybe it is because of my background in trade secret law, and I suspect that I may be in the minority among my cyberlaw colleagues, because I think this was the right interpretation and the right outcome. Exceeding authorized access has no meaning if it does not apply in this case. To me, at least, this was a textbook case of access that starts authorized, but becomes unauthorized as soone as the nefarious purpose for the access is revealed.
And now the scary part
That said, this is still scary – but the problem is with the law, not the court’s ruling. Why is it scary?
First, employees who look where they shouldn’t could now be considered a criminal under the CFAA, so long as they are looking at material they know they shouldn’t be accessing.
Second, this is not necessarily limited to employees. Anyone using a website who starts using information from it in a way that the web operator clearly does not desire could theoretically be criminally liable.
Now that’s scary.
The Nosal court tries to explain this away by saying that fraudulent intent and obtaining something of value are required under 1030(a)(4). True enough, but that’s not the only subsection in the CFAA. Section 1030(a)(2), for example, outlaws simply obtaining information. Sure, the penalties may not be as severe, but it is still barred.
So, how do we reconcile this case with common sense? Are all web users now criminals if they lie about their age or otherwise commit minor violations? I doubt it.
First, I think there must be some independent wrongful action associated with the action – a tort that common folk would understand to be wrongful. In this case, trade secret misappropriation was clear. LVRC v. Brekka went the other way because it was not at all clear the action was independently wrongful and thus something the employer would never authorize. I tend to think that browsewrap agreements on websites won’t cut it.
Second, the wrongful action has to be tied somehow to the unauthorized access. In other words, lying about your age shouldn’t affect access rights generally, but lying about your age might very well be a problem if the reason you did so was to prey on young children. I’ll leave others to debate how this might apply to the Lori Drew case. The recent case of MDY v. Blizzard makes this connection for the Digital Millenium Copyright Act, and it seems like a reasonable one under the CFAA as well.
The CFAA scares me, and it should scare you, too. But its not as scary as many make it out to be – at least I hope not.