Wednesday, April 11, 2012

Ninth Circuit en banc adopts narrow reading of CFAA

In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the Ninth Circuit adopted a narrow reading of the Computer Fraud and Abuse Act, finding that violating an employer computer policy or a website's terms of service is not a violation of federal law.


Nosal quit his job and soon thereafter encouraged his former coworkers to send him confidential information from the company. The employees had access to the database but were not allowed to disclose the information. Nosal was charged under the CFAA "for aiding and abetting the ... employees in 'exceed[ing their] authorized access' with intent to defraud," and he filed a motion to dismiss, arguing that the statute doesn't cover this type of act. The district court agreed and dismissed most of the charges (United States v. Nosal, 2010 WL 934257 (N.D. Cal. 2010)). A Ninth Circuit panel reversed, finding that an employee does violate the CFAA by violating an employer's restrictions (Nosal, 642 F.3d 781 (2011)). The Ninth Circuit reviewed the decision en banc.

In Judge Kozinski's opinion, he acknowledged that the CFAA was written "to address the growing problem of computer hacking" and found that an argument that "exceeds authorized access" applied to hacking as well is "perfectly plausible." The court emphasized that to interpret the statute as encompassing policy violations would  mean that "millions of unsuspecting individuals would find that they are engaging in criminal conduct." Further, "minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate." The result being that a prohibition of Facebook use at work could land someone in prison for breaking the rule if the broad interpretation were adopted. "[S]udoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars."

Likewise, a broad reading would also criminalize letting a friend check your e-mail or providing inaccurate or misleading information on a dating website as those acts likely violate the service's terms. "[D]escribing yourself as “tall, dark and handsome,” when you’re actually short and homely, will earn you a handsome orange jumpsuit."

The Ninth Circuit's decision is contrary to decisions of other circuits - United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010);  United States v.  John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). The Ninth wrote that "[t]hese courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens. We therefore respectfully decline to follow our sister circuits and urge them to reconsider instead."

0 comments:

Post a Comment