On Tuesday, October 10, 2017, the United States Supreme Court denied certiorari in Nosal v. United States, 16-1344. Nosal asked the Court to determine whether a person violates the Computer Fraud and Abuse Act’s prohibition of accessing a computer “without authorization” when using someone else’s credentials (with that other user’s permission) after the owner of the computer expressly revoked the first person’s own access rights. In denying certiorari, the Court effectively killed the petitioner’s legal challenge to his conviction in a long-running case that we have extensively covered here, here, here, here, here, here, and here (among other places). The denial of certiorari leaves further development of the scope of the CFAA in the hands of the lower courts.
Nosal’s conviction resulted from accessing his former employer’s proprietary database in order to set up a competing business using credentials shared by an insider, his former executive assistant.
David Nosal was a recruiter employed by the executive search firm Korn/Ferry. To serve its clients and place executives in response to talent searches, Korn/Ferry maintained a confidential, proprietary database of detailed personal information about more than one million executives. Nosal left Korn/Ferry and launched a competing firm with two other Korn/Ferry colleagues. Korn/Ferry revoked Nosal and his colleagues’ authorization to access its database. After Nosal and his colleagues left Korn/Ferry, Nosal’s colleagues accessed the database at his behest using the log-in credentials of Nosal’s former executive assistant, who remained employed at Korn/Ferry and who was authorized to access the database. They used the assistant’s valid credentials to run searches for candidates and thereby compete with Korn/Ferry. Nosal was convicted of violating the CFAA on a theory of accomplice liability based on his colleagues’ actions. (See 18 U.S.C. § 1030(a).) Nosal was ordered to pay a sizable restitution award to Korn/Ferry and was sentenced to a year and a day in prison.
Ninth Circuit panel split on whether the case is “about password sharing,” and its amended opinion left unclear the scope of CFAA liability.
The Nosal case actually took two trips to the Ninth Circuit, but it was the latter trip that resulted in the recently denied certiorari petition (“Nosal II”). The Ninth Circuit’s opinion revealed internal divisions over not just the scope of the CFAA, but even what the case was about. Judge Reinhardt opened his dissenting opinion by flatly declaring, “This case is about password sharing.” Judge Reinhardt argued that the majority’s opinion upholding Nosal’s conviction could criminalize all sorts of common password sharing conduct among friends and family. To rebut Judge Reinhardt’s position, the majority focused on Korn/Ferry’s explicit revocation of access to Nosal, noting that, “Unequivocal revocation of computer access closes both the front door and the back door.” In the panel’s original opinion, the majority opinion directly contradicted Judge Reinhardt, stating, “This appeal is not about password sharing.” The court noted that mere violation of a website’s terms of service would not result in CFAA liability.
The Ninth Circuit declined to rehear Nosal II en banc, but the panel majority issued an amended opinion clarifying its perspective that the statute’s mens rea requirement for criminal liability—i.e. that the access be “knowing and with intent to defraud”—means that “the statute will not sweep in innocent conduct, such as family password sharing.”
Supreme Court declines to resolve alleged circuit split, leaving lower courts to develop the law.
Nosal then petitioned the United States Supreme Court for review, arguing that there was a circuit split over whether “the [computer] owner’s intentions, expectations, and contractual or agency relationships” are relevant to assessing whether access to a computer is “authorized” under the CFAA. Nosal contended that the First, Fifth, Seventh, and Ninth Circuits consider these factors, but that the Second and Fourth Circuits consider them to be irrelevant and view the CFAA as a simple anti-hacking statute where a defendant is liable for circumventing a technological barrier. Nosal argued that the Ninth Circuit’s “construction of the CFAA threatens to criminalize a broad swath of innocuous activity that ordinary people engage in every day.”
The Solicitor General opposed the petition on behalf of the United States. The United States argued that there was no real circuit split because the authorities that Nosal identified did not involve a circumstance where credentials were revoked but a former employee circumvented the revocation by using a different employee’s credentials to access the system. It framed the question narrowly, as whether the Ninth Circuit erred in upholding Nosal’s conviction.
In reply, Nosal argued that the distinctions identified by the United States regarding the case law in other circuits made no practical difference, and that the real divide is over whether the CFAA is an anti-hacking statute that requires circumventing a technological barrier, or if it is something broader, where the computer owner’s intent, expectations, and relationships are examined. Nosal further noted that the Ninth Circuit stood alone in categorically holding that an account-holder’s authorization is inadequate to avoid liability; Nosal argued that the First, Fifth and Seventh Circuits at least left the door open to reading “authorization” flexibly to include “password-sharing and other forms of derivative authorization consistent with the owner’s interests and reasonable expectations.”
Without Supreme Court intervention to clarify the standards for liability under the CFAA, it will fall to the circuits to continue to develop the contours of the law.
Ultimately, it is not clear that Nosal II’s statements articulate a workable test for criminal liability that does not place large swaths of the public in potential legal jeopardy. For example: What happens if a user of a video streaming subscription service stops paying for the service, has her access credentials invalidated (or, to use Nosal II’s terminology “unequivocally revoked”) as a result of nonpayment, then uses a friend’s log-in information to access the service, intending to get—for free—the service that she once paid for? It is difficult to see how either the “unequivocal revocation” or “knowingly and with intent to defraud” caveats on the Nosal II panel’s analysis prevent at least the potential for CFAA criminal liability. It remains to be seen how lower courts will interpret the CFAA and apply Nosal and its peers in circumstances less fraught than the facts of Nosal. Will Nosal have an unintentionally broad reach? Or will it be reduced to an outlier? Only time will tell.