In a new decision released on Tuesday (April 10), U.S. v. Nosal, 2012 WL 1176119 (9th Cir. 2012), the Ninth Circuit held that the phrase “exceeds authorized access,” within the meaning of Computer Fraud and Abuse Act (CFAA) is limited to access restrictions, not use restrictions. In doing so, it has created a circuit split, breaking with the 5th, 7th and 11th Circuits, circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. See United States v. Rodriguez, 628 F.3d 1258(11th Cir.2010); United States v. John, 597 F.3d 263 (5th Cir.2010); Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir.2006). The Ninth Circuit reasoned that the government’s expansive interpretation of the statute would criminalize every trivial use of a workplace computer for surfing the Internet, posting on Facebook, playing Sudoku, or chatting online with friends.
The defendant, Nosal, left his job at an executive search firm, and persuaded some colleagues there to join him in starting a rival firm. These employees logged into their firm’s network and downloaded source lists, names, and contact information from a confidential database, which they gave to Nosal. These employees had authorization to access the database, but it was clearly against firm policy to disclose confidential information.
Nosal’s indictment covered twenty counts – trade secret theft, mail fraud, conspiracy, and violations of the Computer Fraud and Abuse Act (CFAA), a statute primarily targeted at computer hackers. The government argued that the statute applies to those who have authorization to access a computer or network, but who use the information in an unauthorized way or for an illicit purpose; the defendant argued, unsurprisingly, that the statute is inapplicable where the perpetrators have actual authorization to use the computer, but merely exceed the scope of their authorized use. The Ninth Circuit embraced the defendant’s position, supporting it with arguments from statutory construction, concerns about overbreadth, and the rule of lenity. A strident dissent insisted that the court should have followed the other circuits that have considered the issue.
I believe the Court reached the correct decision here - de minimis personal use of workplace computers is so commonplace that it would be almost unthinkable to criminalize it. The theft perpetrated by the defendants is already punishable under other statutes, so employers have adequate protection of law against the type of database looting that occurred here. The real problem with overly broad interpretations of criminal statutes is that it leads to selective enforcement, and usually surprise enforcement (legal ambush of a culprit who is already in plenty of trouble). Overly broad laws cover too large a portion of the population, or normal daily activities, to have consistent enforcement, so police and prosecutors pick and choose the targets under such laws - and this invites prejudice, bigotry, personal vendettas, and other abuses of government power into the justice process. The expansive reading of the statute urged by the government here, and followed by other circuits, is unnecessary for deterring wrongdoers (who already face punishment under other code provisions), and will be used to persecute unpopular individuals.
Apart from the retribution-deterrence debate, I believe criminal laws serve an important incapactative function - catching and imprisoning criminals before they can commit more serious crimes that build on their previous work. In this regard, the expansive reading of the CFAA serves no incapacitative purpose, because the individuals who would come under the reach of its expanded scope have actual authorization to use the computers - they are employees entrusted with passwords and so forth. Incapacitating hackers is one thing - each imprisoned hacker reduces the amount of hacking that occurs. But adding years to the sentence of a disgruntled employee who steals a client list from the network is not going to reduce the crime rate or the number of future incidents. This further supports the Ninth Circuit's decision in this case.
- Dru Stevenson