Tuesday, July 31, 2012

Fourth Circuit adopts narrow reading of the CFAA

We have discussed previously the tension between a wide and narrow reading of the CFAA - see Jeffrey's original take on Nosal Ninth Circuit en banc adopts narrow reading of CFAA, and my analysis of the dissent - Why Nosal’s dissent is surprisingly persuasive.

Well, the Fourth Circuit has sided with the "narrow" camp, in WEC Carolina Energy Solutions v. Miller. Not surprisingly, it is another case of employee disloyalty that has been dressed up to be a federal hacking violation.  Essentially, Miller (or his assistant) downloaded documents while he was still employed and was authorized to access such information and then twenty days after his resignation used allegedly proprietary information (from the downloaded documents) in a presentation to customers for his new employer (a competitor of WEC). WEC eventually lost the contract and sued under the CFAA, alleging that the downloading of the documents was a violation of the CFAA because "'[u]nder WEC's policies they were not permitted to download confidential and proprietary information to a personal computer.' Thus, by doing so, they 'breache[d] their fiduciary duties to WEC' and via that breach, they either (1) lost all authorization to access the confidential information or (2) exceeded their authorization."

The court reviewed the panel decision in Nosal (which was later overturned en banc), and candidly called its interpretation of the CFAA a "non sequitur." Recall that a reading of the CFAA under the Nosal panel's interpretation would essentially criminalize employee violations of acceptable use policies. And lets not forget what the fight is really over - it is the plain text of the CFAA, which defines in pertinent part "exceeds authorized access" as:

to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.

The key word, as I have highlighted, is "so." Nosal defined so as "in that matter." The Fourth Circuit's responded:

To us, defining "so" as "in that manner" only elucidates our earlier conclusion that "exceeds authorized access" refers to obtaining or altering information beyond the limits of the employee's authorized access. It does not address the use of information after access. Indeed, the Ninth Circuit indicated as much in its en banc reversal, when it declined to hold that the interpretation of "so" as "in that manner" necessarily means employees can be liable for use-policy violations.  
The Fourth Circuit thus rejected the wide interpretation of "so," and applying the rule of lenity, held that "Congress has not clearly criminalized obtaining or altering information 'in a manner' that is not authorized. Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter."

The court went on to clearly reject the Seventh Circuit's interpretation of the CFAA as a "cessation-of-agency theory," in Citrin.  Namely, that the Seventh Circuit's interpretation is deficient because:

Such a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer's use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer's computer systems.
The Fourth Circuit stated that in drafting the CFAA, Congress did not intend to legislate on the agency relationship and did not intend "the imposition of criminal penalties for such a frolic."

As Orin Kerr reported on the Volokh Conspiracy, subsequent to this decision the DOJ asked for an extension of time to file the petition for certiorari for the Nosal decision. That seems like a no-brainer to me. The government will need to craft an argument to sidestep this landmine, and I'm not sure they'll be able to do it.

I am highly persuaded by Judge Floyd's reasoning, and I absolutely agree that Congress never intended any interaction between agency theory and the CFAA. I agree because any other interpretation is illogical.  Congress was legislating computer intrusions (a.k.a. hacking) in 1986 (26 years ago) -and its intent in legislating the act is borne out by the record; it is further clarified when one considers documents such as the Hacker Manifesto (published Jan. 1986) which was all about breaking into systems, not use violations. Recall 1986 technology:



1986 wasn't the land of the "internets," the Googlemaker, or the MyFaceTube - it was a completely different technological standpoint. Which just reinforces a point I keep making - that the CFAA is anachronistic and should be revised; however, until it is, it should not be used as the sword of enforcement for violations of every and any use policy an entity can dream up.  Such an interpretation is not borne out by the text, the history, the intent, nor does it comport with the real function that the law was enacted to serve.

0 comments:

Post a Comment