Computers, Privacy & the Constitution

"Authorized Access" under the CFAA: An Analysis of the 9th Circuit's Opinion in U.S. v. Nosal

-- By VictorA - 01 May 2013

Two years ago, the U.S. Court of Appeals for the Ninth Circuit decided en banc that people should read the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. 1030, narrowly, especially regarding the phrases "without authorization" and "exceeds authorized access." The dissenting opinion raises a few points that counter the Court's analysis and result, but, in my view, the 9th Circuit's interpretation of the CFAA is the more appropriate one.

Facts of U.S. v. Nosal

In U.S. v. Nosal, David Nosal worked for Korn/Ferry, an executive search firm, before leaving and convincing former colleagues who still worked for the firm to help him start a competing business. U.S. v. Nosal, 676 F.3d 854, 856 (9th Cir. 2012). The employees used their firm log-in information to download confidential information and then transferred that information to Nosal. Id. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information. Id. The government indicted Nosal on several counts; the CFAA counts charged Nosal with violations of 18 U.S.C. 1030(a)(4) for aiding and abetting the Korn/Ferry employees in "exceed[ing their] authorized access" with intent to defraud. Id. The district court for the Northern District of California and the 9th Circuit decided in favor of Nosal, and the 9th Circuit agreed to rehear the case en banc. Id.

The 9th Circuit's Analysis

Kozinski, writing for the 9th Circuit, decided for Nosal, interpreting "without authorization" and "exceeds authorized access" narrowly. According to Kozinski, "'exceeds authorized access' in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” Id. at 864. The Court had to decide between Nosal's narrow construction, based off the belief that the CFAA was meant to stop hackers, and the government's broad construction, based off the belief that the CFAA applies to more than just hackers now. Kozinski argued that when “[one] defines the phrase ['exceeds authorized access'] for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute . . . . [One] must therefore consider how the interpretation [one] adopt[s] will operate wherever in that section the phrase appears.” Nosal at 859.

Kozinski looked at 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent. Id. Interpreting "exceeds authorized access" broadly would have hugely negative ramifications, resulting in "millions of unsuspecting individuals [finding] that they are engag[ed] in criminal conduct." Id. Applying the government's preferred meaning to other sections would turn innocuous behavior into criminal behavior. Kozinski then argued that, in statutory interpretation, the “rule of lenity” requires penal laws to be construed strictly. “When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before [one] choose[s] the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” Id. at 863. Kozinski concluded that the rule of lenity requires the CFAA and the phrase "exceeds authorized access" to be construed “narrowly so that Congress will not unintentionally turn ordinary citizens into criminals.” Id.

Interpreting "Exceeds Authorized Access"

In his dissent, Judge Silverman brings up a few contrary points. First, Silverman argues that the CFAA covers both "unauthorized access" and "exceed[ing] authorized access.” According to Silverman, these are two different ways to commit a theft. One may be prohibited from doing something altogether (unauthorized access) or authorized to do something but prohibited from going beyond what is authorized (exceeding authorized access). Id. at 865. Silverman agrees with the government that the CFAA deals with hacking under the phrase "without authorization" but also deals with employees and other types of people under the phrase "exceeds authorized access."

Kozinski counters by saying that "without authorization" applies to outside hackers (individuals with no authorized access) and "exceeds authorized access" applies to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information). Id. at 858. Kozinski believes both phrases focus on hacking here.

Kozinski's analysis prevents Silverman's conclusion from having much force by utilizing the rule of lenity. Applying such a broad construction of "exceeds authorized access" to the other subsections of the CFAA would make the CFAA an expansive misappropriation statute. Id. at 857. Applying the rule of lenity here would mean that "exceeds authorized access" should be interpreted narrowly in order to avoid the harsher alternative.

Considering Other Sections When Interpreting Phrases

Second, Silverman argues that the 9th Circuit should not have to interpret the CFAA narrowly just because of the implications one definition of "exceeds authorized access" may have on the other subsections of 1030. Under this argument, Silverman argues that Kozinski should not have discussed the rule of lenity in the first place. According to Silverman, “[o]ther sections of the CFAA may or may not be unconstitutionally vague or pose other problems. [The 9th Circuit] needs to wait for an actual case or controversy to frame these issues, rather than posit a laundry list of wacky hypotheticals.” Id. at 866. While Kozinski believes that one should consider the implications of interpreting a phrase one way on the other subsections, Silverman believes a judge should focus only on the issues at hand. According to him, if there are problems in other sections, the Court should wait for an actual case to address those issues.

I'm not sure if there is a "right" or "wrong" for either side here because I feel that this is just a difference in viewpoints. Both sides have valid points. I side with Kozinski because I believe that other subsections should be considered when determining how to interpret a phrase of a statute. It would be better to interpret the phrase "exceeds authorized access" narrowly because the alternative would make the CFAA much more expansive, criminalizing many unsuspecting people for innocuous behavior. If Congress meant to be broader with its statute, it should have written the statute and definitions more clearly.

Why is this important? An outlier opinion after en banc consideration is without such significance as you seem to be giving it, absent some serious mistake by a large number of other judges, all of whom have pretty much seen it this way all along, and with whom you can't find a serious reason to disagree.

The plain inference is that there's no here here, which there isn't. Once again you've chosen a narrow non-issue, marching up a little hill and down again on the other side, with drums and trumpets. Why?

-- VictorA - 01 May 2013



Webs Webs

r3 - 14 Jan 2015 - 22:44:50 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM