9th Circuit’s Opinion in U.S. v. Nosal Sets the CFAA on Track for Supreme Court Review

I’m not sure how I forgot to post an article about the 9th Circuit’s opinion in U.S. v. Nosal when it came out in mid-April. I suppose I was a bit busy with exams, winding up my tax law practice and preparing for a trip to Bolivia (busy month!), but this was a major development in internet law and I feel that it deserves at least a mention on this blog. There are already dozens of places you can go for an in-depth review of the case, but allow me to at least summarize what happened before directing you to some of those resources.

U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) is ostensibly a case about a man who conspired with workers at his former employer to steal client lists so that they could start up a rival company with a significant competitive advantage. While the defendant, Nosal did little, if any, of the work accessing these trade secrets, he compelled others to do so on his behalf. When the scheme was uncovered, the company pressed criminal charges asserting that the employees were hacking its computers by accessing and misusing data that they previously had a right to use. The heart of the case centers on whether this behavior counts as hacking under the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030). The heart of the argument hinges on two alternative acts described in the law, either accessing a computer without permission or “exceeding authorized access” to a computer.

The court had little trouble with the act of accessing a computer without authorization, but struggled with what Congress meant by “exceeding authorized access.” Other circuits have defined the phrase as doing anything that violated a computer use policy or other private contract that set ground rules for accessing information on a computer. This, by the coincidental inclusion of all computers with access to the Internet, could possibly lead to the criminalization of any behavior that has the effect of violating a terms of use (TOU) agreement. Alternatively, the phrase can be interpreted as restricting only those acts whereby a user with a legitimate right to use a computer, goes above and beyond the permission they previously had and accesses data they were not meant to have.

The court in Nosal weighed the possible harms that could come from conveying the power of federal criminal law onto private TOU agreements. They found there could be profound consequences for all computer users because most contracts are subject to change without notice and may be unilaterally altered without any input from the citizens who would be criminally liable for violations. If that were the case, the law would fly in the face of the Constitution and thus must be read in a more limited manner, such that only hacking–accessing computers without authorization–is subject to criminal liability. This is the only logical or reasonable interpretation of the law, as to do otherwise would allow prosecutors almost unlimited discretion in deciding whom to prosecute. Although some federal prosecutors have claimed that they would be too busy to go after every little infraction, there’s plenty of evidence out there that they would not always be so restrained. Since any violation of a TOU would count under the CFAA’s very loose definitions (at least at the misdemeanor level), the law would almost certainly be void on vagueness grounds. By that, I mean that no one could know if they were violating the law, and laws that impose felony charges should not be subject to change without notice and certainly with no input or control from the legislature.

As alluded to earlier, the 9th Circuit’s decision runs counter to opinions about this part of the CFAA in at least five other circuits. Those courts all held that any act that went against a private computer access agreement, including an adhesion contract like a website TOU, would be hacking and subject to criminal prosecution. This means that it will most likely get picked up by the U.S. Supreme Court to resolve the circuit split. I eagerly look forward to that debate.

For more on this, as I promised, check out the EFFVolokh Conspiracy and Harvard Journal of Law & Technology.

About Justin Kwong

An attorney in the Twin Cities and adjunct professor at William Mitchell College of Law where I teach a seminar on the law of virtual worlds.
This entry was posted in Litigation, Rights and Civil Liberties, Social Networks. Bookmark the permalink.

2 Responses to 9th Circuit’s Opinion in U.S. v. Nosal Sets the CFAA on Track for Supreme Court Review

  1. Pingback: Phone Cramming: Hackers Hijack Technology Designed to Help Earthquake Victims | Virtual Navigator

  2. Pingback: Defacing Facebook is Now a Crime in Ireland | Virtual Navigator

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s