Thursday, April 12, 2012

With 9-2 Ruling, Circuit Narrows Scope of Computer Fraud and Abuse Act

With 9-2 Ruling, Circuit Narrows Scope of Computer Fraud and Abuse Act

"x x x.


In a highly anticipated test of the Computer Fraud and Abuse Act, the U.S. Court of Appeals for the Ninth Circuit construed the law narrowly Tuesday, saying prosecutors can't use it to go after someone who checks sports scores from a work computer or fibs on Facebook. The 1984 law is an anti-hacking statute, not a tool to make federal criminals of anyone who violates employer computer policies or a website's terms of service, the en banc panel said in a 9-2 opinion in U.S. v. Nosal, 10-10038.
"The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer," Chief Judge Alex Kozinski wrote for the majority. "This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime."
In splitting from other circuits and reversing the panel decision, the court said the plain language of the statute prohibiting someone from "exceeding authorized access" to a computer does not extend to violations of use restrictions. The majority said there are other laws the government can use to prosecute someone who steals confidential information, and that a narrow interpretation of the CFAA is necessary because "we shouldn't have to live at the mercy of our local prosecutor."
The ruling affirms San Francisco U.S. District Judge Marilyn Hall Patel, who junked five counts in the government's case against David Nosal. He is the former employee of an executive search firm accused of having colleagues access a confidential database to get information for his new competing business. "Because Nosal's accomplices had permission to access the company database and obtain the information contained within, the government's charges fail to meet the element of 'without authorization, or exceeds authorized access,'" Kozinski wrote.
The court illustrated its point with a series of alarmist scenarios: Under the government's view of the law, the "short and homely" person's claim on Craigslist to be tall, dark and handsome could earn the poster a "handsome orange jumpsuit." Vast numbers of teens who used Google could have been deemed "juvenile delinquents" since until last month the company's use agreement technically barred minors from using its services.
For the government, the case was not about white lies and people goofing off at work. . Nosal, they argue, was up to no good, and the statute requires an "intent to defraud." The dissenting judges make that point.
"This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values," Judge Barry Silverman wrote, with Judge Richard Tallman joining. "It has everything to do with stealing an employer's valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants' employment contracts."
Silverman goes on: "In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men — far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy."
The language of the statute is clear, Silverman says. Only a person with both the requisite mens rea and specific intent to defraud — "but only such persons" — can violate the law in one of two ways: either by accessing a computer without authorization or by exceeding authorized access, which means to use a computer in a way in which they are not entitled.
"This is not an esoteric concept," Silverman said. He uses the example of a bank teller who is entitled to access the bank's money for legitimate reasons but not to take the money, or a customer allowed to take a car for a test drive but not to Mexico for a drug run.
The section of the statute Nosal is charged under — and the section that's the focus of the appeal — carries an additional component of intent to defraud, while other sections of the law carry no such requirement. It doesn't "advance the ball to consider, as the majority does, the parade of horribles that might occur under different subsections of the CFAA," Silverman wrote. The court should wait for such a case to frame those issues "rather than posit a laundry list of wacky hypotheticals."
While the opinion breaks from the Fifth and Eleventh circuits, the majority said it's following this circuit's controlling case, LVRC Holdings LLC v. Brekka. Elaborating on Brekka, the majority holds that "exceeds authorized access" in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.
It's unclear whether prosecutors will seek high court review. A spokesman for Northern District U.S. Attorney Melinda Haag, whose office is prosecuting the case, declined to comment.
Prosecutors have taken an aggressive posture in this case, appealing even when many criminal counts remained intact at the trial level and bringing in a lawyer from Main Justice, Jennifer Ellickson, to argue. Nosal's appellate counsel Dennis Riordan said in light of that, he expects there to be a push inside the department to file cert. However, he said, the Solicitor General's office, which makes the call, may think twice about pursuing this particular CFAA case, considering Kozinski's "very, very powerful and well reasoned opinion."
"It really is a sigh of relief," said Riordan, who argued unsuccessfully before the three-judge panel. (His co-counsel, Minnesota lawyer Ted Sampsell-Jones arguedbefore the en banc court.) "Had the opinion gone the other way, virtually everyone in the country would have to be worrying whether they are committing a federal crime."
Kozinski's majority included judges on both ends of the political spectrum. On the liberal side, Judges Harry Pregerson, Margaret McKeown, Richard Paez, Kim McLane Wardlaw and new Obama appointee Mary Murguia. And the GOP appointees joining were Ronald Gould and Jay Bybee.
Both dissenting judges are Clinton appointees, but both Tallman, a Republican, and Silverman, considered a moderate Democrat, are former prosecutors known for taking pro-government positions.


x x x."