I’m not sure how I forgot to post an article about the 9th Circuit’s opinion in U.S. v. Nosal when it came out in mid-April. I suppose I was a bit busy with exams, winding up my tax law practice and preparing for a trip to Bolivia (busy month!), but this was a major development in internet law and I feel that it deserves at least a mention on this blog. There are already dozens of places you can go for an in-depth review of the case, but allow me to at least summarize what happened before directing you to some of those resources.
U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) is ostensibly a case about a man who conspired with workers at his former employer to steal client lists so that they could start up a rival company with a significant competitive advantage. While the defendant, Nosal did little, if any, of the work accessing these trade secrets, he compelled others to do so on his behalf. When the scheme was uncovered, the company pressed criminal charges asserting that the employees were hacking its computers by accessing and misusing data that they previously had a right to use. The heart of the case centers on whether this behavior counts as hacking under the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030). The heart of the argument hinges on two alternative acts described in the law, either accessing a computer without permission or “exceeding authorized access” to a computer.
The court in Nosal weighed the possible harms that could come from conveying the power of federal criminal law onto private TOU agreements. They found there could be profound consequences for all computer users because most contracts are subject to change without notice and may be unilaterally altered without any input from the citizens who would be criminally liable for violations. If that were the case, the law would fly in the face of the Constitution and thus must be read in a more limited manner, such that only hacking–accessing computers without authorization–is subject to criminal liability. This is the only logical or reasonable interpretation of the law, as to do otherwise would allow prosecutors almost unlimited discretion in deciding whom to prosecute. Although some federal prosecutors have claimed that they would be too busy to go after every little infraction, there’s plenty of evidence out there that they would not always be so restrained. Since any violation of a TOU would count under the CFAA’s very loose definitions (at least at the misdemeanor level), the law would almost certainly be void on vagueness grounds. By that, I mean that no one could know if they were violating the law, and laws that impose felony charges should not be subject to change without notice and certainly with no input or control from the legislature.
As alluded to earlier, the 9th Circuit’s decision runs counter to opinions about this part of the CFAA in at least five other circuits. Those courts all held that any act that went against a private computer access agreement, including an adhesion contract like a website TOU, would be hacking and subject to criminal prosecution. This means that it will most likely get picked up by the U.S. Supreme Court to resolve the circuit split. I eagerly look forward to that debate.