Does the Computer Fraud and Abuse Act (“CFAA”) prohibit hacking–improperly gaining entrance into a computer system–or simply prohibit improper use of a computer system? U.S. Courts of Appeal are divided. Now, district and appellate court judges in a single federal case pending in the Northern District of California, U.S. v. Nosal, have produced several divergent opinions regarding congressional intent with respect to the meaning of the CFAA.
The defendant in Nosal allegedly persuaded employees of his former employer to log in to the employer’s computer system and forward confidential information to him. Nosal allegedly planned to use the information to compete with his former employer.
The CFAA provides that an individual who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access” is guilty of a crime. Although the CFAA is a criminal statute, most judicial opinions interpreting it are issued in civil (injunction and damages) litigation. Nosal is one of the unique reported CFAA cases in which the defendant was charged with a crime.
The most recent Ninth Circuit opinion in Nosal was written in 2012 by an en banc majority. Those judges concluded that the CFAA is simply an anti-hacking statute that criminalizes circumventing “technological barriers.” It does not apply to Nosal, the majority held, because he was not the person who entered his former employer’s computer system.
After the Ninth Circuit’s en banc decision was issued, affirming the district court’s dismissal of the indictment’s CFAA counts, a superseding indictment was returned. It alleged substantially the same crimes but added more facts with the purpose, apparently, of getting around the en banc ruling. Nosal again moved to dismiss the CFAA counts, stressing that the statutory words “accesses” and “access” relate to unauthorized logging into the company’s computer, not to the use that is made of the computer after logging in. Since he did not log in, he insisted, he could not be guilty of CFAA crimes.
In a ruling issued in mid-March 2013, Nosal’s motion was denied. The district court judge emphasized that the Ninth Circuit en banc majority’s words cannot be taken literally. According to that judge, “[h]acking was only a shorthand term used [by the en banc majority] as common parlance . . . to describe the general purpose of the CFAA,” and the phrase “circumvention of technological access barriers’ was an aside that does not appear to have been intended as having some precise definitional force.” In short, the district court judge concluded,
“[i]f the CFAA were not to apply where an authorized employee gave or even sold his or her password to another unauthorized individual, the CFAA could be rendered toothless. Surely Congress could not have intended such a result.”
Proposed legislation to expand the scope of the CFAA is currently being circulated among the House Judiciary Comittee. Nevertheless, practitioners and parties in the states and territory which encompass the Ninth Circuit — Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, Washington State, and the Territory of Guam — will likely have to wait at least until the next CFAA lawsuit is decided by the Ninth Circuit before they may reliably predict what conduct will be held to violate the CFAA.