On October 20, 2015, a Ninth Circuit panel consisting of Chief Judge Sidney Thomas and Judges M. Margaret McKeown and Stephen Reinhardt heard oral argument from the U.S. Department of Justice and counsel for David Nosal on Nosal’s criminal conviction arising under the Computer Fraud and Abuse Act (CFAA). In 2013, Nosal was found to have violated the CFAA by allegedly conspiring to obtain access to company information belonging to his former employer, executive search firm Korn Ferry, through the borrowing of another employee’s login password. He was also convicted of trade secret misappropriation under the Economic Espionage Act.
The panel focused most of its questions around one main point of contention between the parties: the interpretation of the “without authorization” language appearing throughout Section (a) of the CFAA. Such a focus makes sense given that the interpretation of this short phrase could completely change the legal landscape surrounding password sharing, not only in professional settings, but also in personal, consensual settings.
Nosal’s Points
Counsel for Nosal urged the panel to adopt a limited reading of the CFAA, based on the reasoning laid out in the Ninth Circuit’s previous en banc opinion (Nosal I). Nosal I held that the CFAA was an “anti-hacking” statute and did not contemplate, nor criminalize, the misappropriation of trade secrets. As an “anti-hacking” statute, the CFAA, the court held, criminalizes “the circumvention of technological access barriers.” In other words, a person cannot be found to have accessed a computer “without authorization” if he did not circumvent a technological access barrier, or “hack” into a computer.
This time around, counsel for Nosal argued that password sharing is not hacking, and therefore, such an action cannot amount to a federal crime. Further, counsel urged the panel to limit its interpretation of the “without authorization” language appearing throughout the Act, so as to prevent the over-criminalization of actions otherwise not prohibited by law (e.g., password sharing over a cloud system, or another consensual password sharing arrangement). Nosal’s counsel also argued that the “without authorization” language be read consistently throughout the Act, so that the same interpretation would apply to both the misdemeanor and felony provisions of the Act.
U.S. Government’s Arguments
On the other side of the spectrum lie the government’s arguments. Counsel for the government argued that protecting computers with passwords to prevent unintended user access indeed creates a “technological access barrier,” and any circumvention thereof (consensual or otherwise) constitutes a violation of the CFAA. Such a broad interpretation was met with raised brows from the members of the judicial panel.
Counsel for the government repeatedly argued that the interpretation of the “without authorization” language should mirror the interpretation in the LVRC Holdings LLC v. Brecka case. Per Brecka, a person accesses information “without authorization” under Sections (a)(2) and (4) of the CFAA when he has not received permission to use a computer for any purpose, or when the person’s employer has rescinded permission to access a computer and the person uses it anyway. In other words, the government’s counsel seemed to advocate the criminalization of any sort of password sharing. After receiving some push-back from the panel after making such an argument, counsel suggested limiting this interpretation to the employment context only, but members of the panel shot back because the CFAA includes no such limiting language. The government’s counsel argued that the person must have shared or used the password while also knowing it was prohibited by an employer to do so.
With regard to Nosal’s trade secrets conviction, the panel pressed the government’s counsel for a good portion of her allotted argument time. Counsel argued the record revealed sufficient evidence to establish the element that source lists derive independent economic value for not being generally known by the general public.
Possible Outcomes for Nosal and Beyond
Though the panel did not give a clear indication one way or the other whose side it was likely to advocate in Nosal’s case, recent Ninth Circuit precedent may prove enlightening on the topic. In the U.S. v. Christensen (9th Cir. 2015) decision, the Ninth Circuit (composed of a panel of different judges than those deciding Nosal’s fate) vehemently upheld the holdings in Nosal I, despite the different facts of each case. In particular, the Christensen panel relied heavily on the Nosal I rationale that the CFAA only deals with violations of restrictions on access to information, not restrictions on use. At the very least, Christensen demonstrates that the CFAA has been on the Ninth Circuit’s radar, even though its rationale may not impact the outcome in Nosal II.
Moreover, the panel’s surprise at the government’s assertion that all password sharing should be subject to criminal sanctions indicates an unwillingness to adopt such an argument. As a previous post hypothesized, the panel’s final ruling will likely put to bed the password sharing issue, and limit it to certain situations (on which ground is still unclear), at least in the Ninth Circuit. The ruling will hopefully provide helpful guidance on how to formulate acceptable computer policies prohibiting conduct running afoul of the CFAA. That way, employers and businesses can better protect their trade secrets from escaping the confines of their walls.