In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), the court held that the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, prohibits unlawful access to a computer but not unauthorized use of computerized information. Although that holding represents a minority position, two recent opinions — one in a Ninth Circuit criminal case and one by a California district court in a civil proceeding — indicate that the ruling in Nosal still is the law out west.
Recent Ninth Circuit and California district court CFAA cases.
Christensen. The 100+ page opinion in U.S. v. Christensen, Nos. 08-50531, et al. (9th Cir., Aug. 25, 2015), details what the court described as “a widespread criminal enterprise offering illegal private investigation services in Southern California.” Six individuals were accused and convicted in the District Court for the Central District of California pre-Nosal of computer fraud, bribery, racketeering, wiretapping, identity theft, and more. On appeal, several convictions were affirmed, and some others were remanded but just for resentencing. Of particular interest to readers of this blog, however, all three convictions for violating the CFAA were vacated on the ground that Nosal rendered the jury instructions clearly erroneous and prejudicial. A retrial may be possible.
Loop AI Labs. In Loop AI Labs Inc. v. Gatti, No. 15-cv-00798 (N.D. Cal., Sept. 2, 2015), the defendants’ motion to dismiss certain counts of the amended complaint was granted in part and denied in part. The defendant was Loop AI Labs’ former CEO. Although she had left the company and worked for a competitor, she continued to log in to Loop AI Labs’ computers. The court ruled that until Loop AI Labs formally revoked her authorization to access the company’s computers, she did not violate the CFAA by logging in, regardless of her motive.
Faulty jury instructions in Christensen. One of the defendants was a Los Angeles police officer. He was charged with violating the CFAA, among other statutes, by (a) logging in to confidential state and federal law enforcement databases — which he had the right to access — and (b) in exchange for a bribe, providing to two other defendants information they requested from those databases but to which they were not entitled. The prosecutor simply assumed, and did not attempt to prove, that the officer thereby committed a CFAA violation. According to the Ninth Circuit, that assumption was unwarranted after Nosal was decided.
By the same token, at trial the three defendants accused of CFAA violations did not object when the court instructed the jurors — before Nosal — that they should find a CFAA violation if they determined that a computer had been knowingly accessed with the intent to use the information to commit a fraud. In Christensen, the appellate court held that those jury instructions were plainly erroneous in light of Nosal and clearly were prejudicial. For these reasons, the CFAA convictions were vacated.
Takeaways. Approximately one-half of the circuit courts of appeal have ruled on the meaning of the phrase “exceeds authorized access” as used in the CFAA. In the circuits where there has not yet been a ruling, obviously, there is uncertainty as to which position the court will adopt.
The majority — so-called liberal — view is exemplified by holdings in cases such as International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (CFAA violated by accessing a computer for an unauthorized purpose). Nosal, and now Christensen, represent the minority (or narrow) position that an individual with authorization to access a computer does not commit a CFAA violation regardless of what the individual does with the information so obtained.
Adding to the confusion, courts are not in agreement over the meaning of Nosal. For example, in the recent case of U.S. v. Shen, Case No. 4:14-CR-122 (W.D. Mo. Apr. 21, 2015), the facts were somewhat similar to those in Loop AI Labs. Citing Nosal, the court in Shen stated: “There is some disagreement as to whether an employee who properly accesses a computer and then misuses the information can be convicted” of violating the CFAA. The Missouri court added: “However, courts are clear that employees who gain access to a computer through their employment lose authorization once they have resigned or been terminated. Moreover, persons of common intelligence would understand as much.” Id. at p.4 (citations omitted). As is apparent, the judge who decided Loop AI Labs does not concur. Further, there are also federal courts in California who have concurred with the Shen reasoning.
Similarly, one cannot be sure that all courts agreeing with the “narrow view” set forth in Nosal also would accept the holding implicit in Christensen that a corrupt police officer does not exceed his “authorized access” to confidential government data bases when he logs in solely for the purpose of providing other persons, in exchange for a bribe, information to which they have no right. With all this uncertainty, the one thing that is certain is that the Ninth Circuit continues to embrace a very narrow and restrictive view of CFAA liability, in contrast to most of the other circuits in the nation.