Fourth Circuit adopts narrow reading of the CFAA

We have discussed previously the tension between a wide and narrow reading of the CFAA - see Jeffrey's original take on Nosal - Ninth Circuit en banc adopts narrow reading of CFAA, and my analysis of the dissent - Why Nosal’s dissent is surprisingly persuasive.

Well, the Fourth Circuit has sided with the "narrow" camp, in WEC Carolina Energy Solutions v. Miller. Not surprisingly, it is another case of employee disloyalty that has been dressed up to be a federal hacking violation.  Essentially, Miller (or his assistant) downloaded documents while he was still employed and was authorized to access such information and then twenty days after his resignation used allegedly proprietary information (from the downloaded documents) in a presentation to customers for his new employer (a competitor of WEC). WEC eventually lost the contract and sued under the CFAA, alleging that the downloading of the documents was a violation of the CFAA because "'[u]nder WEC's policies they were not permitted to download confidential and proprietary information to a personal computer.' Thus, by doing so, they 'breache[d] their fiduciary duties to WEC' and via that breach, they either (1) lost all authorization to access the confidential information or (2) exceeded their authorization."

The court reviewed the panel decision in Nosal (which was later overturned en banc), and candidly called its interpretation of the CFAA a "non sequitur." Recall that a reading of the CFAA under the Nosal panel's interpretation would essentially criminalize employee violations of acceptable use policies. And lets not forget what the fight is really over - it is the plain text of the CFAA, which defines in pertinent part "exceeds authorized access" as:

to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.

The key word, as I have highlighted, is "so." Nosal defined so as "in that matter." The Fourth Circuit's responded:

To us, defining "so" as "in that manner" only elucidates our earlier conclusion that "exceeds authorized access" refers to obtaining or altering information beyond the limits of the employee's authorized access. It does not address the use of information after access. Indeed, the Ninth Circuit indicated as much in its en banc reversal, when it declined to hold that the interpretation of "so" as "in that manner" necessarily means employees can be liable for use-policy violations.  

The Fourth Circuit thus rejected the wide interpretation of "so," and applying the rule of lenity, held that "Congress has not clearly criminalized obtaining or altering information 'in a manner' that is not authorized. Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter."

The court went on to clearly reject the Seventh Circuit's interpretation of the CFAA as a "cessation-of-agency theory," in Citrin.  Namely, that the Seventh Circuit's interpretation is deficient because:

Such a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer's use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer's computer systems.

The Fourth Circuit stated that in drafting the CFAA, Congress did not intend to legislate on the agency relationship and did not intend "the imposition of criminal penalties for such a frolic."

As Orin Kerr reported on the Volokh Conspiracy, subsequent to this decision the DOJ asked for an extension of time to file the petition for certiorari for the Nosal decision. That seems like a no-brainer to me. The government will need to craft an argument to sidestep this landmine, and I'm not sure they'll be able to do it.

I am highly persuaded by Judge Floyd's reasoning, and I absolutely agree that Congress never intended any interaction between agency theory and the CFAA. I agree because any other interpretation is illogical.  Congress was legislating computer intrusions (a.k.a. hacking) in 1986 (26 years ago) -and its intent in legislating the act is borne out by the record; it is further clarified when one considers documents such as the Hacker Manifesto (published Jan. 1986) which was all about breaking into systems, not use violations. Recall 1986 technology:

1986 wasn't the land of the "internets," the Googlemaker, or the MyFaceTube - it was a completely different technological standpoint. Which just reinforces a point I keep making - that the CFAA is anachronistic and should be revised; however, until it is, it should not be used as the sword of enforcement for violations of every and any use policy an entity can dream up.  Such an interpretation is not borne out by the text, the history, the intent, nor does it comport with the real function that the law was enacted to serve.

Read More

Court upholds verdict that defendant did not "knowingly exceed authorization" when he clicked on and viewed emails in an open Yahoo! inbox

In an unpublished decision, the Superior Court of New Jersey, Appellate Division denied the plaintiff's motion for judgment not withstanding the verdict in a case where the defendant opened emails in an inbox that was left logged in on a computer next to him. The case is Marcus v. Rogers, 2012 N.J. Super. Unpub. LEXIS 1523 (June 28, 2012).

The facts of the case are interesting - the defendant was involved in a dispute over his salary with the school district he worked for. While surfing the internet in the computer room, he accidentally bumped the mouse of a computer next to him and the screen came alive to reveal an open Yahoo! Inbox. It happened to be one of the members of the education association that he was in dispute with. There were two emails that clearly pertained to his dispute, so he clicked on them to read them. They were not flattering to the education association, so at the next meeting, the defendant distributed the emails as evidence of failing to bargain in good faith.  The emails included conversations between multiple members of the association, and accordingly they all filed suit for various charges; of importance here was a cause of action under N.J.S.A. 2A:156A-27, which reads in pertinent part:

A person is guilty . . . if he (1) knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility, and (2) thereby obtains, alters, or prevents authorized access to a wire or [an] electronic communication while that communication is in electronic storage.

The court initially found that the defendant did not access the facility without authorization because the previous user who had logged in was actually the one to access the facility. So the question for the jury turned on exceeding authorized access. The court framed the case in that regard as follows: "the question for this court is whether the undisputed facts precluded a finding that Wayne [the defendant], the non-moving party, knew Marcus [the inbox owner] had not consented to — stated differently, had not impliedly or tacitly authorized — access to the contents of the e-mails that she left accessible to all by failing to close her inbox and log off her account." 


The court reviewed the jury's finding, noting that the Judge below had been careful in crafting his instructions regarding the statutory requirements:

In fact, the judge in this case submitted questions to the jurors that were carefully crafted to ascertain whether Wayne [the defendant] knew he lacked authorization or knew he exceeded his authorization. Their answers demonstrate that they found he did not know. All seven of the deliberating jurors found that he "knowingly accessed" the facility providing the service and that he obtained an electronic communication in electronic storage, but six of the seven found that he had not "exceeded an authorization to access that facility," and seven found that Wayne had "tacit authorization" to do so. 

The court declined to overturn such a verdict, noting that a question of subjective intent was a question for a jury unless no reasonable fact-finder could reach such a conclusion, and the court did not ascribe to the latter notion.


In short, I do not agree with this decision. I agree that there is tacit authorization to skim all of the contents on the screen of the computer with the open inbox, but as soon as you click on an email and open it, I cannot understand how that does not violate the statute. I believe the court erred in dismissing the "knowingly accesses without authorization" leg of the test - yes, the first user knowingly accessed it, but that does not preclude a second user from knowingly accessing as well. More specifically, the knowingly accessed portion cannot be a one and done sort of query - the user who first logged in did so, but the defendant also did so when he committed an overt act to open an email of another person without their authorization. The court is conflating access with "logging in," which as an altogether way too narrow reading of the statute. 


"Accesses" is being used as a verb in the statute above, and a quick look at the dictionary shows where the court went wrong:

Verb: Obtain, examine, or retrieve (data or a file).

I access something, inter alia, when I log in, when I click on something, or when I make a query to a database. Accordingly, I knowingly access without authorization and obtain electronic communication in electronic storage when I click on somebody else's email in an inbox.

Leaving your inbox open is stupid and gives tacit authorization to view that which is in front of you - the inbox. It does not give you authorization to then click on anything within there.

Read More