The Computer Fraud and Abuse Act has been used by prosecutors to charge individuals who “exceed authorized access” (or act “without authorization”) on a computer–sometimes their employers’ computers, sometimes a stranger’s computer that they are hacking. The problem is that Congress didn’t bother to defined “authorized access.”
If you are a CFAA rookie, I’ve written about the basics of the CFAA before. Plus, I wrote about its use in an…interesting case involving fetishes and a police officer.
Over a single week in July, the Ninth Circuit weighed in with two decisions about the definition of “authorized access.” The opinions are both good and bad.
In United States v. Nosal (“Nosal II”), the Ninth Circuit affirmed the convictions of the defendants who had “conspir[ed] with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed.” The court tried to establish a bright-line rule about the meaning of “without authorization”:
Only the first prong of the section is before us in this appeal: knowingly and with intent to defraud accessing a computer “without authorization.” Embracing our earlier precedent and joining our sister circuits, we conclude that “without authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.
This seems wonderfully straightforward. But not so fast, bub.
Just a week later, the Ninth Circuit issued another CFAA opinion. In Facebook v. Power Ventures, the Ninth Circuit (a different panel) held on July 12 that continuing to access a website after receiving a cease-and-desist letter from the website owner is accessing it “without authorization.” It’s worth noting that this is a civil case, not a criminal one. The court said that the facts were “closer to” the facts in Nosal II, though it didn’t spend much time discussing the decision.
But Facebook expressly rescinded that permission when Facebook issued its written cease and desist letter to Power on December 1, 2008. Facebook’s cease and desist letter informed Power that it had violated Facebook’s terms of use and demanded that Power stop soliciting Facebook users’ information, using Facebook content, or otherwise interacting with Facebook through automated scripts. Facebook then imposed IP blocks in an effort to prevent Power’s continued access.
The record shows unequivocally that Power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway…
We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute.
Orin Kerr at the Volokh Conspiracy has written an excellent piece analyzing the Power Ventures decision and raising some concerns about it. His primary concern is how to reconcile Nosal I (an earlier decision in the same Nosal case) with Power Ventures, and how easy it would be to claim a CFAA violation under a plain reading of the decision. He writes:
This doesn’t mean that what Power did is necessarily a good thing. Maybe there should be other causes of action against Power for its conduct. But as I see it, the CFAA shouldn’t be one of them based on these facts. Facebook also could suspend the accounts of its users who authorized Power, or it could take technical steps to stop Power’s entry inside Facebook’s network. But I don’t think it should have been allowed to rely on the CFAA to keep Power away with a letter.
Scott Greenfield, in his inimitable fashion, suggests that Kerr may be too smart for his own good and that the Power Ventures decision was a pragmatic one, arising out of the facts before the court and not any deep-seated desire to allow criminal charges for simply violating terms of service (TOS) alone. He concludes his post:
What is clear is that the 9th Circuit has tried to craft a bright line test, and part of it is that violating a website’s TOS does not, standing alone, give rise to a CFAA violation. That’s not a bad thing, and it means that if you aren’t hopping on your left leg as you read this post (as required by my TOS as of this moment), you have yet to commit a felony. Here, at least.
I wish the Ninth Circuit in Power Ventures had stepped back for a moment and considered that it was interpreting a statute that has a criminal component. The opinion doesn’t consider the poss