The United States Court of Appeals for the 9th Circuit continues to decide high profile cases that interpret the key provisions of the Computer Fraud and Abuse Act (CFAA). This post summarizes two July decisions from the court—one that sent the internet into a frenzy, and one that somewhat assuaged those fears.
Overview of the CFAA
The CFAA’s deceptively-simple statutory scheme and language have proved difficult to apply in practice some 30 years after it was enacted. The CFAA creates criminal and civil liability for whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). “The statute thus provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” Musacchio v. United States, 136 S. Ct. 709, 713 (2016). The CFAA provides a private right of action for “[a]ny person who suffers damage or loss by reason of a violation of this section.” 18 U.S.C. § 1030(g).
Nosal (II): Criminalizing password sharing?
David Nosal was a recruiter at the executive search firm Korn/Ferry International. After deciding to launch a competitor, but before leaving Korn/Ferry, Nosal’s colleagues began downloading confidential information from a Korn/Ferry computer database. The government brought criminal counts under the CFAA against Nosal and those employees, which counts were ultimately dismissed because the court determined that by using their own passwords, the employees did not “exceed authorized access,” and therefore Nosal did not aid and abet them in violating the CFAA. The 9th Circuit affirmed in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) (“Nosal (I)”).
The latest appellate decision concerns portions of the CFAA that were not at issue in Nosal (I). After Nosal left Korn/Ferry and after his computer access credentials had been revoked, he and his departed colleagues continued to access the database under the credentials of Nosal’s former executive assistant. Upon this evidence, the jury convicted Nosal of conspiracy to violate the “without authorization” provision of the CFAA. On appeal, the 9th Circuit affirmed his conviction. United States v. Nosal, Nos. 14-10037 & 14-10275, 2016 U.S. App. LEXIS 12382 (9th Cir. July 5, 2016) (Nosal (II)).
Writing for the majority, Judge McKeown wrote “[t]his appeal is not about password sharing.” The majority applied classic statutory interpretation, as confirmed by its 2009 decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), to find that Nosal acted “without authorization” the minute his computer access credentials were revoked by Korn/Ferry.
Nosal (II) might have been uncontroversial were it not for Judge Reinhardt’s impassioned dissent. His opening line: “This case is about password sharing.” He urged a narrow interpretation of the “without authorization” provision: “a person accesses an account ‘without authorization’ if he does so without having the permission of either the system owner or a legitimate account holder.” This interpretation, Judge Reinhardt urged, comported with the statute’s purpose as an anti-hacking measure, best accounted for the rule of lenity and minimized the risks of selective or arbitrary enforcement. The majority’s interpretation of the CFAA’s “without authorization” provision, risked making “the millions of people who engage in this ubiquitous, useful, and generally harmless conduct [of password sharing] into unwitting federal criminals.”
Power Ventures: A step back
A week after it filed Nosal (II), the 9th Circuit issued another opinion involving the CFAA, Facebook, Inc. v. Power Ventures, Inc., Nos. 13-17102 & 13-17154, 2016 U.S. App. LEXIS 12781 (9th Cir. July 12, 2016) (Power Ventures). In Power Ventures, the appellants owned Power.com, a now non-existent website that, as of 2008, aggregated a user’s social networking information. In late 2008, Power.com began advertising a promotion to draw users to the site. When users clicked a link on Power.com, Power Ventures (Power) would create an event, photo or status on the user’s Facebook profile. Then, Power would cause an internal Facebook message or external email message to be transmitted to that user’s Facebook friends. After noticing Power’s promotional campaign, Facebook sent a cease-and-desist letter to Power and soon thereafter began blocking Power’s IP address from accessing the Facebook website. Some 60,000 external emails and an unknown number of internal emails later, Facebook sued, alleging violations of, among other laws, the CFAA. The district court granted summary judgment to Facebook.
On appeal, the 9th Circuit—without citing to Nosal (II)—analogized Power users’ clicking of the link to “allowing a friend to use a computer or to log on to an e-mail account.” This, reasoned the court, gave Power “at least arguable permission to access Facebook’s computers,” meaning that, at least initially, Power did not access Facebook’s computers “without authorization” within the meaning of the CFAA. This was the case even though Power violated Facebook’s terms of use from the beginning. The court, citing to Nosal (I), noted that a violation of use terms, without more, is insufficient to impose CFAA liability.
The court, however, affirmed in part the district court’s order because Facebook had expressly revoked Power’s “arguable permission” by sending a cease-and-desist letter. Every access after the delivery of that letter was therefore “unauthorized.” The court explained via the following analogy:
Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises).
Accordingly, although the court did not make it explicit, it would appear that Judge Reinhardt’s concerns that Nosal (II) risked criminalizing password sharing will not come to fruition.
What’s next?
Nosal (II) and Power Ventures provide some clarity to the CFAA. Unfortunately, they do not answer every question. For example, what constitutes notice sufficient to revoke one’s authorization? This question and others await their day in court (which may come with en banc rehearings of the panel decisions). Fortunately, however, Power Ventures seems to have alleviated commentators’ fears that federal law enforcement officials might come knocking the next time one shared his or her Netflix password with a family member or friend.
For more information about the CFAA and related privacy and data security laws, please contact Donna Ruscitti, Brian Hall, Jason Gerken, or any member of Porter Wright’s Privacy & Data Security Practice Group.